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Foreword 


Like any scientific project, the present book owes its form to a large number 
of suggestions and discussions by and with the scientific community. Thanks 
go first to Prof. Dr. phil. Klaus Bengler (TU Munich, Mechanical Engineering, 
Chair of Ergonomics), Prof. Dr. jur. Dr. phil. Eric Hilgendorf (Julius-Maximilian- 
University Würzburg, Robotics Law Research Centre, Chair of Criminal Law, 
Criminal Justice, Legal Theory, Information and Computer Science Law) and 
Prof. Dr. Holger Sommerfeldt (Management and Organization, Rector of IU 
International University). 


New technological changes through Artificial Intelligence are changing our 
entire world including flexible team work as well as product management within 
the dilemma of innovation, ethics, legal risks and international conflicts. Every 
one of us and everything will be intelligently networked. The age of machines 
with their own consciousness is beginning. Under these conditions, Intelligent AI 
systems will penetrate all areas of this world, giving rise to a completely new 
understanding of relationships between humans and machines. These new types 
of interactions from digital and intelligent agents to humans and machines is the 
beginning of the age of hybrid intelligence. Artificial Intelligence is already chan- 
ging the way organizations operate and how sustainable management decisions are 
made. Consulting Experience of the author in team development increasingly con- 
fronts with new hybrid or home working models that change teamwork through 
digitalization and Artificial Intelligence. Teamwork will increasingly become net- 
worked, virtual and collaborative with robotic support using various management 
approaches. The focus will be centred on intrinsic key human skills, such as sol- 
ving complex problems or creativity. Furthermore critical thinking, sustainable 
communication, corporate social responsibility, empathy, mindfulness and curio- 
sity will be more important than ever before (see Annex B: Detailed questions). 
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Managing and shaping this dimension of the digital transformation for a suc- 
cessfully interacting team of diverse personalities as well as disciplines requires 
sustainable, “turbulence-stable” design principles. Other personal team and leader- 
ship skills include knowledge, alertness, agility, trust, decision-making confidence 
and inner presence. Ultimately, trained mindfulness is required through effective 
communication between stable attention and perceptive, focused peripheral awa- 
reness. This effective communication enables leadership and team members to 
respond meaningfully to environmental conditions. Enhanced mindfulness, for 
example, through Mindfulness Based Stress Reduction MBSR, enables effective 
differentiation between conflicting information in order to extract the essential. 
As a result, such technological changes also create new opportunities for success- 
ful interdisciplinary teamwork within sustainable product development between 
Artificial Intelligence, ethics and the associated liability risks. Stephen William 
Hawking former professor of applied mathematics and theoretical physics at the 
University of Cambridge already pointed out the risks: “Success in creating Arti- 
ficial Intelligence would be the biggest event in human history. Unfortunately, it 
might also be the last, unless we learn how to avoid the risks”. 


Regarding Corporate Social Responsibility and Sustainability, the author refers 
in Annex B to the United Nations Sustainable Development Goals (SDG) to act 
for sustainable development on our planet. These topics contain: no poverty, zero 
hunger, health and well-beeing, quality education, clean water, affordable clean 
energie, decent work and economic groth, industry innovation and infrastruc- 
ture, sustainable cities and communities, responsible consumption and production, 
climate action, peace, justice and strong institutions. 

In addition, the author references a nonprofit initiative called the Inner Deve- 
lopment Goals (IDG) to accelerate realization of these UN Goals with priorities 
on: 


1. Cultivating our inner life, our relationship to our thoughts, our feelings to 
be present, acting with intention and non-reactive when confronted with 
complexity. 

2. Developing our cognitive skills for wise decision making. 

3. Caring for others, the world with sustainable systems and feeling connected to 
others. 

4. Ability to collaborate with stakeholders of different values and competencies 

5. Courage and optimism to break old patterns with creative Design Thinking to 
act with perseverance in uncertain times. 
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This dilemma of a sustainable management between Artificial Intelligence, 
ethics and legal risk is examined in this book using the example of the 
development of safe Autonomous or Automated Vehicles. 


Recognize your challenges. 
Go beyond previous limitations and abilities. 
Discover where courage and passion can take you. 


(Erkenne Deine Herausforderungen. 
Wage Dich über bisherige Grenzen und Fähigkeiten hinaus. 
Erlebe wohin Dich Mut und Hingabe bringen können.) 


Through mindful conscious leadership, 
everyone can contribute with expertise 
and dedication to a great team result. 


(Durch achtsame bewusste Führung 
kann jeder mit Kompetenz und Herzblut 
zu einem großartigen Teamergebnis beitragen.) 


Munich Prof. Dr.-Ing. MBA Thomas Winkle 
April 2022 
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Abstract 


New working models are transforming how teams in organizations collaborate 
using digitization and Artificial Intelligence. Managers and employees are con- 
fronted with new ethical dilemmas, legal risks, as well as international conflicts. 
Growing consumer expectations under flexible virtual networked working con- 
ditions, an aspired way of working according to concepts of New Work and 
international conflicts accompanied by Artificial Intelligence lead to high requi- 
rements of a sustainable leadership culture and leadership strategies for product 
development for safe products. Manufacturers must develop as safely as possible 
according to the state of the art in science and technology, weighing up risks, 
technical suitability and ethical economic feasibility. Otherwise they can be held 
responsible for damage caused by the technical system. In this research, the author 
develops innovative ways to meet this high safety standard in collaboration with 
interacting experts as part of interdisciplinary development teams (see Fig. 4.13, 
Fig. 4.14 and Fig. A.19). 

Initially, Chapter 2 uses an exemplifying meta-analysis of previous traffic acci- 
dent data, which have so far only been researched selectively, to document the 
possibilities and limitations of assessing the safety potential of vehicle systems. 
The analysis takes into account different levels of automation: both a posteriori 
as well as a priori. 

Following these findings, Chapter 3 documents the first in-depth analysis of 
1.28 million accidents covering the entire area of one German state, including 
374 crashes with restricted visibility due to weather and light conditions. The 
comparison between machine and human perception related to accident causes 
shows the need to include such scenarios in the development and validation for 
safe automated vehicles. 
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xviii Abstract 


Chapter 4 describes the growing consumer expectations and the positive deve- 
lopment of vehicle safety in recent decades. From the initial idea to development 
and sign-off, the book presents examples of common standards including tools 
and method descriptions. Furthermore, there follows a development guide with 
a checklist for sustainable management and self-reflective work teams with 303 
questions on the requirements that contribute to the duty of care in the deve- 
lopment of automated vehicles and fulfill the highest court rulings on product 
liability. 

Finally, in Chapter 5, qualitative interviews with engineers, executives and 
a psychologist from the development departments of automobile manufacturers 
show perceived risks and wishes for the future. This results in in-depth insights 
about previous ways of working, the state of knowledge, attitudes, expectati- 
ons and challenges. The resulting checklist in Annex B supports a structured 
guideline-based team process with expert feedback loops and criteria for own 
self-reflection. Elaborated questions promote sustainability and inner development 
as well as sustainable quality in interdisciplinary teams for customer-oriented 
usability in terms of safety in use and functional safety. 


This book demonstrates that sustainable management, area-wide data, structu- 
red guidelines for complete processing within interdisciplinary networking teams 
and continuous exchange of experts make an essential contribution to successful 
interdisciplinary teamwork for a sustainable development in the dilemma between 
innovation and consumer protection. 

New innovative developments in the field of Artificial Intelligence should not 
cause external control using Artificial Intelligence. Expected is a controllable 
interaction between humans and increasingly intelligent machines. 

Mindful corporate and employee management, within new working conditi- 
ons (such as New Work, Remote Work or Hybrid Work) including Artificial 
Intelligence is associated with a sustainable orientation for new developments. A 
sustainable orientation includes the knowledge of the existing objective facts, such 
as statistical data evaluations. Furthermore, the possibilities and risks including 
the effects of Artificial Intelligence, as well as the ethical and legal implications 
have to be included. According to this, political, economic and social decisi- 
ons must be aligned in an equally sustainable manner. Artificial Intelligence 
can support managers in linking knowledge and designing complex functions, 
such as Automated Driving. Furthermore, area-wide information on proven safety 
methods, production and sign-off processes right through to marketing and 
product monitoring provide support. 
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Finally, management must ensure that new innovative product ideas are imple- 
mented within interdisciplinary coordinated teams in the sustainable intention of 
humane use. 

For a successful implementation in the responsible teams, a summarized check- 
list in Annex B suggests appropriate knowledge, tools as well as methods to 
deepen self-reflection in the context of human-centered skills. 


Christopher Columbus (1451-1506) 
Explorer and navigator 


“Reliable information is essential for the success of a business.” 


Henry Ford (1863-1947) 
US-American groundbreaking entrepreneur, business magnate, 
founder and developer of the Ford Motor Company 


“Coming together is a beginning, 
keeping together is progress, 
working together is success.” 


Mother Mary Teresa Bojaxhiu (1910-1997) 
Albanian-Indian nun and missionary, Nobel Peace Prize 1979 


“... we can do small things with great love 
and together we can do something wonderful.” 


Zusammenfassung 


Neue Arbeitsmodelle transformieren die Zusammenarbeit von Teams in Organi- 
sationen mit der Unterstützung von Digitalisierung und Künstlicher Intelligenz. 
Führungskräfte und Mitarbeiter stehen vor neuen ethischen Dilemmata sowie 
rechtlichen Risiken. Gestiegene Verbrauchererwartungen unter neuen virtuell ver- 
netzten Arbeitsbedingungen, einer angestrebten Arbeitsweise nach Konzepten von 
New Work und internationalen Konflikten einhergehend mit künstlicher Intelli- 
genz führen zu hohen Anforderungen an eine nachhaltige Führungskultur und 
Führungsstrategien zur Produktentwicklung für sichere Produkte. Die Hersteller 
müssen nach Stand von Wissenschaft und Technik unter Abwägung der Risiken, 
technischer Eignung, wirtschaftlicher und ethischer Zumutbarkeit so sicher wie 
möglich entwickeln. Andernfalls Können sie für Schäden, die das technische Sys- 
tem hervorgerufen hat, verantwortlich gemacht werden. In dieser vorliegenden 
Arbeit entwickelt der Autor innovative Wege, diesen hohen Sicherheitsanspruch 
fachübergreifend mit Experten interdisziplinärer Entwicklungsteams zu erfüllen 
(siehe Abb. 4.13, Abb. 4.14 und Abb. A.19). 

Zunächst dokumentiert Kapitel 2 mittels einer Metaanalyse am Beispiel bis- 
her nur punktuell erforschter Verkehrsunfalldaten die Möglichkeiten und Grenzen, 
Sicherheitspotenziale von Fahrzeugsystemen zu beurteilen. Dabei berücksichtigt 
die Betrachtung verschiedene Automatisierungsgrade: Sowohl a posteriori als 
auch a priori. Durch eine derartige beispielhafte Analyse erhalten Führungskräfte 
eine objektive Datengrundlage für nachhaltige Unternehmensentscheidungen. 

Darauf aufbauend dokumentiert Kapitel 3 beispielhaft die erste flächen- 
deckende vertiefte Auswertung aus 1,28 Millionen Verkehrsunfällen, darunter 
374 bei wetter- und lichtbedingten Sichteinschränkungen. Der Vergleich zwi- 
schen maschineller und menschlicher Wahrnehmung als Unfallursache zeigt die 
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xxii Zusammenfassung 


Notwendigkeit, solche Szenarien bei der Entwicklung und Validierung siche- 
rer automatisierter Fahrzeuge einzubeziehen. Derartige detaillierte Erkenntnisse 
unterstützen Führungskräfte und Mitarbeiter dabei, die geplanten Produktentwick- 
lungen mit maschineller Intelligenz so zu gestalten, dass die komplexe Steuerung 
der Entwicklungsprozesse bei den verantwortlichen Personen bleibt. 

Die gestiegenen Verbrauchererwartungen und die positive Entwicklung am 
Beispiel der Fahrzeugsicherheit in den vergangenen Jahrzehnten zeichnet Kapi- 
tel 4 nach. Von der ersten Idee über die Entwicklung bis hin zur Freigabe zeigt 
die Ausarbeitung Beispiele für gängige Standards inklusive Tools und Metho- 
denbeschreibungen. Im Weiteren folgt ein Entwicklungsleitfaden für nachhaltiges 
Management und selbstreflektierte Arbeitsteams mit 303 Fragen zu den Anfor- 
derungen, die zur Sorgfaltspflicht bei der Entwicklung automatisierter Fahrzeuge 
beitragen und die höchstrichterlichen Rechtsprechungen zur Produkthaftung erfül- 
len. 

Abschließend zeigen qualitative Interviews mit Ingenieuren, Führungskräften 
und einem Psychologen aus den Entwicklungsabteilungen von Automobilherstel- 
lern in Kapitel 5 wahrgenommene Risiken sowie Wünsche an die Zukunft auf. 
Daraus ergeben sich vertiefte Erkenntnisse zu bisherigen Arbeitsweisen, dem 
Wissensstand, Einstellungen, Erwartungen und Herausforderungen. Die daraus 
folgende Checkliste in Annex B unterstützt einen strukturierten leitfadenge- 
stützten Prozess mit Feedback-Schleifen innerhalb der Experten Teams und zur 
eigenen Selbstreflexion. Der erweiterte Fragenkatalog fördert in interdisziplinären 
Teams Nachhaltigkeit und innere Entwicklung sowie die nachhaltige Qualität für 
eine nutzerorientierte Gebrauchs- und Funktionssicherheit. 


Dieses Buch zeigt, dass nachhaltiges Management, flächendeckende Daten, 
strukturierte Leitfäden zur vollständigen Abarbeitung innerhalb fachübergreifend 
vernetzter Teams und kontinuierlicher Expertenaustausch einen essenziellen Bei- 
trag zur erfolgreichen Zusammenarbeit im Spannungsfeld von Innovation und 
Verbraucherschutz leisten. 

Neue innovative Entwicklungen in Bereichen der künstlichen Intelligenz sol- 
len keine Fremdbestimmung durch künstliche Intelligenz hervorrufen. Erwartet 
wird eine kontrollierbare Interaktion zwischen Menschen und den zunehmend 
intelligenteren Maschinen. Dies bestätigt die langjährige Beratungserfahrung des 
Autors. 

Achtsame Unternehmens- und Mitarbeiterführung, innerhalb neuer Arbeitsbe- 
dingungen (New Work, Remote Teamwork oder Hybrid Teamwork) einschließlich 
Künstlicher Intelligenz geht einher mit einer nachhaltigen Ausrichtung für neue 
Entwicklungen. Eine nachhaltige Ausrichtung schließt die fachliche Kenntnis der 
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bestehenden objektiven Fakten, wie statistische Datenauswertungen ein. Weiter- 
hin sind die Möglichkeiten und Risiken einschließlich der Auswirkungen bei 
der Nutzung von Künstlicher Intelligenz, sowie der ethischen und rechtlichen 
Auswirkungen einzubeziehen. Danach sind letztendlich politische, wirtschaftli- 
che und gesellschaftliche Entscheidungen gleichermaßen nachhaltig auszurichten. 
Künstliche Intelligenz kann Führungskräfte bei der Verknüpfung von Wissen und 
der Gestaltung von komplexen Funktionen, beispielsweise dem automatisierten 
Fahren, unterstützen. Weiterhin unterstützen flächendeckende Informationen mit 
bewährten Absicherungsmethoden, Produktions- und Freigabeprozesse bis hin zur 
Vermarktung und Produktbeobachtung. 

Das Management hat abschließend dafür Sorge zu tragen, dass neue innovative 
Produktideen innerhalb fachübergreifend abgestimmter Teams in der nachhaltigen 
Absicht einer humanen Nutzung umgesetzt werden. 

Zur erfolgreichen Umsetzung in den verantwortlichen Teams werden in einer 
Checkliste (Annex B) sowohl entsprechende Kenntnisse, Werkzeuge als auch 
Methoden zur Vertiefung der Selbstreflexion im Kontext menschenzentrierter 
Fähigkeiten vorgeschlagen. 


Christopher Columbus (1451-1506) 
Entdecker und Seefahrer: 


„Zuverlässige Informationen sind entscheidend 
für den Erfolg eines Unternehmens.“ 


Henry Ford (1863-1947) 
US-amerikanischer richtungsweisender Unternehmer und Pionier: 


„Zusammenkommen ist ein Beginn, 
Zusammenbleiben ein Fortschritt, 
Zusammenarbeiten ein Erfolg“ 


Mutter Maria Teresa Bojaxhiu (1910-1997) 
Indische Ordensschwester und Missionarin, Friedensnobelpreis 1979: 


„ ... wir können kleine Dinge mit großer Liebe vollbringen 
und gemeinsam können wir etwas Wunderbares erreichen.“ 


Symbols 


SSyumtadns 


sem DDS 


Acceleration 
Controllability 

Distance 

Unknown Number 
Probability of exposure 
Frequency at which a hazard or hazardous event occurs 
Mathematical function 
Hours 

Kilometers 

Failure rate of the system 
Meters 

Miles per hour 

Number 

Probability 

Risk 

Seconds 

Potential severity of the resulting harm or damage 
Time 

Speed 

Free variable parameter 
Year 
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Introduction 


This book on the topic “Product Development within Artificial Intelligence, Ethics 
and Legal Risk - Exemplary for Safe Autonomous Vehicles” was prepared by the 
author on the basis of more than two decades of experience at automobile manu- 
facturers (Volkswagen AG, Audi AG, Daimler AG) within the legal department, 
product analysis and traffic accident investigation in interaction with research, 
development until market introduction. The professional experience included the 
joint development of potential and risk assessments for the evaluation of new 
automated systems using image recognition with Artificial Intelligence based on 
results from accident analysis. Further expertise was added to the activities for 
the worldwide clarification of technical cases of product liability claims with fatal 
personal injury and property damage. Included was the coordination with autho- 
rities and development, the consultation of the responsible lawyers as well as the 
preparations for depositions in court as a company representative. 

As a result of these experiences, a tendency can be seen that future deve- 
lopments increasingly raise the question of whether the manufacturer can be 
held responsible for damage caused by the technical system. The manufacturer 
is judged on whether he has done everything reasonable for a safe product after 
weighing the risks. This requires safety measures which (according to the state 
of the art in science and technology available at the time the product is placed 
on the market) are constructively possible and appear suitable and sufficient to 
prevent damage. If certain risks associated with the use of the product cannot 
be avoided according to the relevant state of the art in science and technology, 
it must be examined whether the hazardous product may be introduced into the 
market at all. This considers the type and extent of the risks, the probability of 
their occurrence and the benefits associated with the product. 
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Final inputs for this book resulted from the work for Daimler Research, 
Development and the Daimler and Benz Foundation in the project “Villa Laden- 
burg — Autonomous Driving”. During this project, the technical, legal and social 
aspects of automated driving were investigated. 

Using the knowledge resulting from this book, the development of safe 
automated driving functions is supported, especially with regard to availability, 
reliability and, above all, risk minimization. Thereby the fulfillment of the valid 
standards and laws for safety-related product development “between Innovation 
and Consumer Protection” proves to be a very big challenge for all involved devel- 
opers. Repeated questions in the author’s internal consulting activities within the 
development departments for safety-relevant and automated vehicle systems at 
Volkswagen, Audi and Daimler AG confirm these uncertainties. This experience 
was accompanied by the Audi project management in charge during the prepara- 
tion of the development guideline “Code of Practice for the Design and Evaluation 
of Advanced Driver Assistance Systems (ADAS)” with mentoring for the integra- 
tion and implementation in the VW Group technical specifications. The ADAS 
Code of Practice definition was prepared in close cooperation with the first drafts 
of ISO 26262 in the FAKRA Kreis (Facharbeitskreis Automobil). A first mee- 
ting of the ISO group took place in 2005 (Ross H-L, 2019). The updated ISO 
26262:2018 also refers to the ADAS Code of Practice. 

The motivation for this book was the increasing embedding of safety-relevant 
components with complex electronic and mechatronic vehicle systems as well 
as man-machine interfaces in new motor vehicles. These new possibilities up to 
fully automated driving promise time savings due to more homogeneous traf- 
fic flow. This reduces the number of traffic jams and obstructions. The time 
that would otherwise have to be spent at the wheel can now be used for other 
activities. Furthermore, vehicles can be shared according to the “ridesharing prin- 
ciple” (Lenz B, Fraedrich E, 2016). Several people can be transported at the 
same time and owning a car is therefore no longer a must, which is why the 
overall traffic volume becomes less, more sustainable and efficient. Even people 
without a driving license could drive in a fully automated car. Ultimately, incre- 
asing automation of driving functions (apart from the not to be underestimated 
driving experience of humans) also promises greater road safety as individual, 
human-related driving errors can be avoided. 

Already since the first Benz patent motor car in 1886, individual mobility by 
motor vehicles has been the subject of controversial discussions, such as envi- 
ronmental or social issues. A sad negative record was achieved in 1970: almost 
600.000 injured traffic participants and 21.332 road deaths occurred in Germany 
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alone (Statistisches Bundesamt 2018). Today the automotive industry is confron- 
ted with strategic fundamental questions around the world more than ever before, 
in particular dealing with economic, environmental-friendly and automated dri- 
ving technologies. Major advances in scientific and technical knowledge are the 
cause of a fundamental or disruptive change in this sector. 

At the beginning of the twentieth century, the Austrian economist Joseph 
Schumpeter described major extreme changes as “creative destruction”. Accor- 
ding to Schumpeter, only by destruction new order can take place (Schumpeter, 
J. A. 1942 and 2017). The Harvard economist Clayton Christensen described 
these transitions as “disruptive innovations” that involve shocks and the complete 
reshaping of industries (Christensen, C. M. 2003). Peter Drucker said that inno- 
vation, or entrepreneurship, are disciplines with own fairly simple rules (Drucker 
P, 2014). 

Robots are already replacing drivers in pilot and research projects. Image reco- 
gnition using Artificial Intelligence (AI), Deep Learning and neural networks 
allow continuous automation of driving tasks in vehicle guidance up to driver- 
less vehicles. Environment sensors can provide the location (coordinates x, y, z 
or distance, and angle), the dimension (length, width, height) and speed (longi- 
tudinal/transverse or relative) of an object. Artificial Intelligence (AI) refers to 
the performance of human intelligence by computers. Humans have no problems 
to recognize objects and to form these observations into a mental model of the 
world. Through Deep Learning with neuronal networks, a learning method in 
Artificial Intelligence, vehicles are able to “learn” to understand their environ- 
ment. Data processing by methods such as “real-time scene labeling” is making 
significant progress. Further technological development of driver assistance sys- 
tems with powerful sensor and information technologies are a prerequisite for the 
steady automation of driving tasks in vehicle control. The former chairman of 
Daimler’s Board of Management Dr. Dieter Zetsche said: 


Anyone who only thinks of technology has not yet realized how autonomous driving 
technology will change our society. The car grows beyond its role as a means of 
transport and is finally becoming a mobile living space (Daimler AG Media, 2019). 


Over the next two decades, in addition to technical and legal challenges, questions 
of responsibility, tolerances, expectations and the relationship between man and 
machine will have to be redefined for self-driving cars. The best technology will 
not be perfect, although it will be more faultless than the human being. In the 
future, the car will do the same as we do: It will learn every day and thus cope 
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with the complex demands of modern private transport ever better (Ernst & Young 
Global Limited, 2015). 


1.1 Initial situation 


To meet consumers expectations, development of automated driving — especially 
fully automated driving — calls for the management of associated risks. On the one 
hand, there is pressure to introduce connected automated vehicles in the market 
hoping for a more efficient, comfortable and safe traffic. On the other hand, the 
automated system performance should be designed in such a way — based on the 
predefined framework conditions — that no safety issues will arise. 

Probably every driver can still remember the exciting practical driving test: 
to show the driving examiner — after some driving hours such as motorway, city 
tour or night trip — that the vehicle can be controlled safely in a collision-free 
and rule-consistent manner. It was clear that only the subsequent practical expe- 
rience made the driver a safe driver who could control even challenging traffic 
situations. Sometimes we learn that safe driving does not necessarily have to 
be compliant with the rules especially if an evasive maneuver could avoid the 
impending collision. 

The question for the future is: how should vehicles with advanced automa- 
ted systems including driverless vehicles prove that they can handle a sufficient 
number of traffic situations safely? 

Individual test drives as in the past are certainly not enough. Example numbers 
of typical test kilometers of a new vehicle approval are according to Daimler AG, 
a total of more than 12 million test kilometers with the W213 series Mercedes 
E-class (market introduction 2016). In comparison to that 36 million kilometers 
were covered in the previous series W212 — a model built from 2009 to 2016 
(Maurer, Gerdes, Lenz, Winner, 2016). By means of better simulations and a 
consequent improvement of the prototypes, it was possible to intensively test in 
detail from the beginning. 

While scientists calculated billions of required test kilometers, solutions with 
much more support of simulation and further safety verification became necessary. 
It may be assumed that the number of test kilometers will depend on the number 
of kilometers driven between two fatal accidents. Following this argumentation 
and the figures from the German Federal Statistical Office for a motorway pilot, 
this would mean that 662 million kilometers would have to be tested between two 
fatal accidents. Under the assumption of other influencing factors, the distance 
will be extended by a multiple. A number of billions would be needed for such a 
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test, which would still take a long time. The problem is even larger: if you make 
improvements after a test, the test must be repeated afterwards in order to be on 
the safe side. This should minimize the risk of accidents to a minimum or, ideally, 
eliminate it as far as possible such as the following: 

Potential safety issues indicated a recall of a so-called “Full Self-Driving Sys- 
tem” (NHTSA, 2022), as well as the first of several fatal accidents that occurred 
in Florida back in 2016. The driving system for longitudinal and lateral assistance 
from a US car manufacturer called “autopilot” was activated, while the driver wat- 
ched a Harry Potter video instead of paying attention to traffic. This crash showed 
the limitations of a level 2 automation system (see Fig. 2.1) in combination with 
the driver’s overreliance in the function which was improperly advertised as an 
“autopilot” (see Ch. 2). 

A first fatal crash in fully automated mode with a safety driver killed a woman 
while crossing the street when she was pushing her bike 2018 in Tempe, Arizona 
(see Sec. 4.7.1.2). 

We know that acceptance of system performance is variable. Nevertheless, 
regarding further development of automated systems (based on environmental sen- 
sors such as radar, lidar, video etc.), different safety issues for the development 
and validation become evident for the examples described above. 

It is generally assumed that when a vehicle is able to cope with critical situa- 
tions, it probably can also control simple traffic situations. In particular, one aim 
is to maximize the proportion of simulation and laboratory bench-based tests in 
order to integrate comprehensive tests into development processes at a very early 
stage and to limit the effort on test tracks or in the real-world traffic in a justifiable 
way. 

A further question is: where are the limitations of testing via simulation? This 
becomes challenging, for example, with the complex sensor technology. It is 
hardly possible to simulate which signals the individual sensor types still per- 
ceive under certain weather or lighting conditions and whether they are able to 
recognize the surroundings adequately. The fatal accident mentioned above is an 
example due to the fact that supposedly the camera was blinded by the low sun 
and could not recognize the crossing truck. 


1.2 Objective and Research Questions 


Automotive technology must be designed “reasonably safe” and with “duty of 
care”: If certain risks associated with the use of a product cannot be avoided, it 
must be assessed whether the dangerous product may be placed on the market 
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at all, considering the risks, the probability of their occurrence and the bene- 
fits associated with the product. Vehicles have to be designed within the limits 
of what is technically possible and economically reasonable—according to the 
respective current state of the art, state of science, and must enter the market in 
a suitably sufficient form to prevent damage (German Federal Court of Justice, 
Bundesgerichtshof, 2009). 

A practice-oriented understanding of such requested acceptable risks as a basis 
for decisions on a safe system design is a prerequisite for the corresponding deve- 
lopment process. With regard to these requirements developing safe automated 
vehicles between innovation and consumer protection leads to a more detailed 
analysis with the following questions: 


— Which risks are known from accident research? (chapter 2, 3) 

— What will be technical acceptable? (designing complex technology safe, limits 
of sensor technology or Artificial Intelligence, system safety), (chapter 2, 3, 4) 

— Which benefits can be placed to introduce such systems? (chapter 2, 3, 4) 

— How can accident research be used for a safety (risk) assessment? (chapter 2, 
4) 

— How safe is safe enough? (chapter 2, 4, 5) 

— How to prove safety of usage? (fuzzy logic of human factors) (chapter 3, 4) 

— How to prove reliability? (customer satisfaction) (chapter 3, 4, 5) 

— What is legally acceptable? (chapter 4) 

— Which conditions support the development team to develop a safe system? 
(chapter 4, 5) 
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Findings from Traffic Accident Analysis 2 


This chapter starts with findings and limits of accident investigation regarding 
potential safety-enhancing vehicle systems with low degrees of automation. 

Contents of this chapter were already prepublished within the springer book: 
Autonomous driving — technical, legal and social aspects (Winkle, Safety Bene- 
fits of Automated Vehicles: Extended Findings from Accident Research for 
Development, Validation and Testing, 2016a). 

So far, no sufficient experience with series applications of fully automated 
vehicles has existed. A safety prognosis of such features depends on assumptions 
regarding market penetration and technological progress. 

Therefore, based on his work experience, the author recommends combining 
area-wide traffic accident-, weather-, and vehicle operation data as well as traffic 
simulations in order to develop, test and validate safe automated vehicles with 
reasonable expenditure. 

The aim is to focus on the essentials and to validate using a scenario cata- 
logue. Few tests under special conditions replace many simple tests. Taking into 
consideration human and machine perception, these findings result in a realistic 
evaluation of internationally and statistically relevant real-world traffic scenarios 
as well as error processes and stochastic models. These, in combination with vir- 
tual tests in laboratories and driving simulators, can be analyzed to prevent critical 
driving situations. 
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2.1 Motivation 


Since the beginning of the millennium, automobile manufacturers have made 
active steering-assistance systems (Lane Keeping Assistance Systems — LKAS) in 
combination with active distance keeping (Adaptive Cruise Control — ACC) for 
series production vehicles available. The combined functionality was introduced 
into the Japanese market for right-hand drive vehicles such as the Nissan Cima 
(2001) and the Honda Inspire (2003). Since then, partially automated driving (see 
Ch. 2.2) of up to 20 seconds has been possible under the driver’s supervision 
when using both assistance systems (author’s test drives in 2003). German manu- 
facturers, starting with the VW Passat CC (2008), have been selling active steering 
systems in selected models as an optional feature (Katzourakis, Olsson, Lazic & 
Lidberg, 2013). In December 2021, the German Federal Motor Transport Aut- 
hority granted the world’s first type approval for an Automated Lane Keeping 
System (ALKS) from Mercedes-Benz. The basis for the Drive Pilot in the Merce- 
des S-Class and EQS (2022) is UN Regulation Number 157 (Kraftfahrtbundesamt 
KBA, 2021). 

In times of increasing market penetration of active safety systems statistics by 
the Federal Statistical Office of Germany have shown a decrease of road acci- 
dent fatalities: While 21.332 people died in road accidents in Germany in the 
year 1970, the number was reduced by more than six times to 2020 with 2,719 
fatalities (Statistisches Bundesamt 2018). This is even more significant as at the 
same time driven mileage increased by almost 30 percent (251 billion kilometers 
in 1970, 736 billion kilometers in 2018 (Kraftfahrtbundesamt). Among the remai- 
ning accidents are some that might have been prevented by automated vehicle 
functions. Potential safety benefits can be determined on the basis of accident 
data, namely the fall of accident-related fatalities. Examples given in this book 
demonstrate the possibilities and limits of analyzing this data. 

Various organizations carry out traffic accident research all over the world. This 
encompasses the subfields of accident surveys/statistics, accident reconstruction, 
and accident analysis (Kramer, 2013). The basis for accident research in Germany 
is investigation, carried out by the police. Additionally, other institutions carry out 
their own accident research, such as the Traffic Accident Research Institute of TU 
Dresden GmbH (Verkehrsunfallforschung, or VUFO) and the Hannover Medical 
School, as well as vehicle manufacturers and the German insurance industry. A 
comprehensive source of data is the investigation of accidents at the scene, which 
are also statistically recorded and evaluated according to certain weighted charac- 
teristics. Acquired data can be used for the safety-enhancing further development 
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of vehicle automation. The following chapters exemplarily demonstrate automa- 
ted vehicles’ potential safety benefits, limits of findings and predictions resulting 
from accident data collections. 

The following chapters focus on two questions, using specific examples from 
accident research: 


— How significant are analyses and findings from road accident research for the 
introduction of connected automated vehicles? 
— How can potential safety benefits of automated vehicles be proven? 


2.2 Categorizing the Levels of Driving Automation 


To illustrate the potentials and limits of accident data analyses, three categories for 
levels of driving automation (concerning the degree of vehicle guidance) will be 
used. This categorization is derived from a BASt-project publication “Legal con- 
sequences of an increase in vehicle automation” (Gasser et. al. 2012), which lists 
two further categories. Their five degrees of automation start with conventional 
vehicle guidance, called “driver only”, where the driver is constantly responsible 
for the vehicle’s longitudinal and lateral motion. The classification continues with 
driver assistance (“assisted”) and partial automation (“partial automated”), with 
permanent driver supervision. Lastly, the levels of highly automation (“highly 
automated”) and full automation (“fully automated”) permit humans to stay out 
of the vehicle guidance process some or all the time (Gasser et. al. 2012). Vehicles 
currently on the market are neither highly nor fully automated. As a consequence, 
no accident data exist regarding these categories, which therefore will play no role 
in the examples below. 

In order to give a complete overview another two classifications are mentioned: 
Similar to the BAST project, five levels were defined by the American NHTSA 
agency (National Highway Traffic Safety Administration, 2013). Subsequently, 
the SAE International (formerly Society of Automotive Engineers) developed six 
distinctions in its SAE J 3016 standard and describes their minimum require- 
ments. In ISO/SAE PAS 22736, published since 2021, these six levels have been 
adopted. They have been valid since January 2014 and commonly used today. 
These levels correspond to the BASt levels published previously in 2012, with 
two differences. Not only the names of the levels are different but SAE adds 
level 5 (full automation): at this level the automated driving system performs the 
complete driving task under all conditions a human driver can manage (Society 
of Automotive Engineers, 2014); (see Fig. 2.1). The technical definition “fully 
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automation” is also described under the term autonomous driving technology and 
includes a variety of possible applications and characteristics (e.g. Interstate Pilot, 
Valet Parking, Vehicle on Demand, Driver for Extended Availability) (Wachenfeld 
et. al., 2016; Donges, 2016). A total of three instance groups (“internal” e.g. adult 
or underage passengers, disabled persons, “the driving robot” and “external” e.g. 
authorities, police) can take over the driving of the vehicle. 

Fundamental questions to the developers are: 


— At what level of vehicle guidance does an internal, external group or the 
autonomous vehicle itself have the ability to intervene? 

— At what level of vehicle management does an internal, external group or the 
autonomous vehicle itself have the authority to intervene? 

— Which instance is dominant in the conflict of simultaneous intervention? 

— How is the hierarchy between the instances defined? 

— Is the autonomous vehicle allowed or does it have the possibility to disregard 
applicable rules in order to avoid greater damage? 
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Fig. 2.1 Levels of automation according to BASt, NHTSA, SAE J 3016 and ISO/SAE PAS 
22736. (Source: BASt, NHTSA, SAE J 3016 and ISO/SAE PAS 22736) 
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2.3 Accident Data to Demonstrate Potential Safety 
Benefits and Risks 


Basically, automotive technology has always been considered as a technology 
with undesired side effects. An unambiguous understanding of acceptable risks 
that can be taken as a basis for decisions on automated system designs is a 
prerequisite for a safe development process. 

Where do relevant risks caused by automated driving come from? 

First of all, safety-related failures caused by hardware (random failures and 
design errors) are possible. Furthermore, software errors (design errors and 
inadequate quality assurance) will continue to gain significance for increasing 
importance. Such issues have been discussed for many years within automotive 
manufacturers and suppliers. Many new standards have been established to ensure 
traffic safety over the last years. 

Behind all these activities however, a basic question always has to be answe- 
red: What is an acceptable risk of automated driving technologies that can be 
determined and evaluated? People take risks when they have personal control. 
Is the assessment of risk based on frequencies or probabilities? How is the risk 
perceived? Will it be accepted or not? 

In general, there is a strong tendency to assess risks based on individual cases. 
A single accident can be an opinion-forming event. On April 26, 1986, a unit of 
the Chernobyl nuclear power plant in Ukraine exploded. About 25 years later, the 
reactor cores of three reactors at the Fukushima Daiichi nuclear power plant in 
Japan melted on March 11, 2011. Although the two disasters are not compara- 
ble, both Chernobyl and Fukushima have released massive amounts of radioactive 
material. Two clearly different reactor types were affected. Block 4 at Chernobyl 
was a water-cooled and graphite-moderated reactor. A combination that can trig- 
ger uncontrolled chain reactions, which occurred in the case of Chernobyl. The 
accident was caused by an experiment carried out by the operating crew, which 
got completely out of control. The plan was to simulate a complete power failure 
in order to show that the turbine would still supply sufficient power even after the 
reactor had been shut down, so that the time required for the emergency units to 
start could be bridged. 

In Fukushima, the reactors from the Tokyo Electric Power Company (TEPCo) 
stand on granite foundations. They are surrounded by steel and concrete structu- 
res. Trigger of the accident in Japan was a huge earthquake. As a consequence, 
the subsequent tsunami flooded the coastal nuclear power plant, which caused the 
power in the high-voltage grids to fail. Therefore, the systems ran on emergency 
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power until the tsunami shut down the emergency diesel engines. Batteries remai- 
ned, but were exhausted after a few hours. From then on, no more cooling water 
of the Reactor Coolant System (RCS) was pumped over, so that the reactor cores 
and the fuel elements stored in the decaying ponds of the piles overheated. 

So far, the two accidents have been the only ones to which the highest level on 
the international INES reporting scale has been assigned. The INES (International 
Nuclear Event Scale) is used to assess accidents in nuclear facilities. 

The Chernobyl and Fukushima disasters mark changes in acceptance with 
significant turning points in environmental policy and in the discussion about the 
use of nuclear energy. The assumptions used to evaluate the occurrence of acci- 
dents in nuclear power plants can be doubted in view of the short interval of only 
25 years between the catastrophes of Chernobyl and Fukushima. It is possible 
that the risks of nuclear power were systematically underestimated. 

In March 2011, in response to the nuclear catastrophe in Fukushima, the 
German Bundestag decided to phase out nuclear power completely by 2022. 
(Reinberger, D. et. al., 2016; Filburn T, Bullard S, 2016) 

Mathematically, an uncontrolled and prolonged release of radioactivity can 
occur in any reactor worldwide, with catastrophic consequences for humans 
and the environment. Individual traffic accidents generally do not have such a 
dimension—but in total they do. 

According to statistics, the absolute frequency of dying in a road accident in 
2018 was: 


— Approximately 3,000 annually in Germany 
— Approximately 40,000 annually in the USA 
— At least around 1,272,000 annually worldwide [4, 9, 10] 


1, 272, 465 
7, 313, 015, 000 


1 
Global Traffic Mortality Ratezgı5 = = 17.410°- (2.1) 
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That means it is equal to 17.4 persons out of 100.000 who died in European road 
traffic in 2015 (World Health Organization, 2017). 
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1 
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This is equal to 5.05 persons out of 100.000 who died in European road traffic 
in 2016 (European Transport Safety Council, 2017). 
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In the year 2010, the EU renewed its road safety target to reduce road deaths 
by 50%. The reduction is based on 2010 until the year 2020. This corresponds to a 
reduction of 18.7% by 2016 compared with 31,595 people dead in 2010. It follo- 
wed an earlier target set in 2001 to halve road deaths by 2010. The target was not 
quite reached because 55,092 people were killed in 2001. But at least the 42.7% 
achieved were not very far away. Figure 2.2 shows the average age expectancy of 
women and men compared to traffic mortality per 100,000 inhabitants. 
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Fig. 2.2 Global mortality rates: Female, Male and Traffic Mortality (Source: World Health 
Organization — World Health Statistics 2017, Data Traffic Mortality from 2013, Data Life 
expectancy female/male at birth from 2015) 


Conversely, HIV/AIDS deaths increased from 300,000 in 1990 until 1.5 mil- 
lion in 2010. Non-communicable disease deaths rose by almost 8 million between 
1990 and 2010. Cancer alone killed 8 million people in 2010, an increase of 38% 
over two decades. The number of fatality road injuries grew by 46% from 907,900 
to 1,328,500 over 10 years but age-standardized road injury death rates only rose 
from 18.4 to 19.5 per 100 000. 

ISO 26262 requires a significantly higher level of security with regard to the 
hardware failure rate compared to many other deadly risks accepted in reality. 
The overview in Fig. 2.3 addresses global mortality rates with exemplary causes 
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of death for 1990 and 2010 and in addition the Automotive Safety Integrity Level 
“ASIL D” requirement with a hardware failure rate of less than | * 10° 1. 
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Fig.2.3 Global mortality rates with exemplary causes of death (for 1990 and 2010 in com- 
parison to ASIL D) Data (Source: funded by Bill & Melinda Gates Foundation and ISO 
26262:2018) 


Considering an agreement for reasonable safety and acceptable risk requi- 
res an international approach. These safety relevant challenges are undoubtedly 
connected to the current accepted “social values” that exist within our society. 
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In order to quantify automated vehicles’ potential safety benefits selected 
accident data collections will be presented and their respective pros and cons 
discussed. 


2.4 Federal Road Traffic Accident Statistics in Germany 


The Federal Statistical Office of Germany in Wiesbaden publishes monthly sta- 
tistics on fatalities, injuries, and material damage in accordance with Section 1 
of the StVUnfStatG ($1, German law on statistics of road traffic accidents). 
This data is provided by police stations, which are required to submit standar- 
dized records of reported accidents to state-level statistics offices (Statistisches 
Bundesamt, 2014). 

Only extracts of this nationwide data is published online. Police investigations 
show the drivers’ driving errors and therefore a potential for increasing safety 
through automated driving (see Ch. 3.3). All documented information is catego- 
rized into: type of road, age of all parties involved, and type of transport means. 
No specific documentation on vehicle details, injuries or accident reconstruction 
is available. 


2.5 German In-Depth Accident Study (GIDAS) 


Statistically reliable analysis of road-accident scenarios requires detailed data. In 
Germany, the GIDAS (German In-Depth Accident Study) database serves this 
purpose. It is recognized as one of the most comprehensive accident databases 
worldwide (Kramer, 2013; Zobel & Winkle, 2014). GIDAS has been financed 
by the Federal Highway Research Institute (BASt) since 1973 and The Research 
Association of Automotive Technology (FAT) since 1999. These days GIDAS pre- 
pare separate databases of approx. 2,000 accidents annually from the Hannover 
(since 1973) and Dresden survey areas (since 1999). Each documented accident 
contains up to 3,000 coded parameters: information on the environment (e.g. wea- 
ther, road type, road condition), the situation (e.g. traffic, conflict, and manner 
of accident), the vehicles (type, safety equipment), personal details, injury data 
including accident reconstruction as well as photos (Winkle, Monnich, Bakker 
& Kohsiek, 2009; Kramer, 2013; Zobel & Winkle, 2014; Schubert & Erbsmehl, 
2013). 

For further analyses, many cases are reconstructed with the PC-Crash simula- 
tion software by Dr. Steffan Datentechnik (Steffan H & Moser A 2016; Burg & 
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Moser A, 2017; Castro, Becke & Nugel 2016). However, GIDAS data access is 
limited to car manufacturers and component suppliers taking part in the project. 
It contains only accidents resulting in personal injuries. Because only the Han- 
nover and Dresden areas are surveyed, the findings have to be transferred to the 
whole of Germany via extrapolation (i.e. weighting and comparison with federal 
accident statistics, see Section 2.4). 


2.6 Road Traffic Accident Statistics in the USA 


The US National Highway Traffic Safety Administration (NHTSA) introduced 
the Fatality Analysis Reporting System (FARS) in 1975 and has documented 
fatal road accidents since then (National Highway Traffic Safety Administration 
NHTSA, 2014). In addition, the National Automotive Sample System — Crashwor- 
thiness Data System (Nass-CDS) has analyzed road accidents involving personal 
injury or severe damage using interdisciplinary teams, similarly to the German 
GIDAS since 1979 (O’day J, 1986). 

However, unlike GIDAS, in-depth data collections for extended accident analy- 
sis in the USA offer no reliable accident reconstruction. For example, emergency 
braking functions cannot be assessed (Zobel & Winkle, 2014). The drop in US 
traffic accident fatalities since 1970 has been lower, at around 16%, than in 
Germany, at around 60% (Statistisches Bundesamt, 2014; National Highway Traf- 
fic Safety Administration NHTSA, 2014). This might be, among other factors, 
because of drowsiness due to longer distances driven in the US. 


2.7 International Road Accident Data Collections 


Various national official accident statistics have been merged into the Internatio- 
nal Road Traffic and Accident Database (IRTAD). Both fatalities as well as road 
accidents involving personal injury generally are included — they are distinguis- 
hed by age, location and type of road use. The database is maintained by the 
Organization for Economic Cooperation and Development (OECD) in Paris. It 
contains data from: Argentina, Australia, Austria, Belgium, Canada, Chile, Czech 
Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, 
Israel, Italy, Jamaica, Japan, Korea, Lithuania, Luxembourg, Morocco, Nether- 
lands. New Zealand, Norway, Poland, Slovenia, Spain, Sweden, Switzerland, the 
UK and the USA (Amoros, 2009). 
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The data is publicly accessible online and is especially useful for comparing 
the data between member countries. It gives insight into the impact of diffe- 
rent regulations and national/regional driving behavior (north versus south, for 
instance). However, detailed information on how the accident occurred is still 
missing. Besides, survey methods and data volumes differ in each country. 

The Initiative of Global Harmonization of Accident Data (IGLAD) also aims 
to harmonize global in-depth traffic accident data. In 2010 European car manufac- 
turers started IGLAD in order to improve road and vehicle safety. A standardized 
data scheme determines the accident data contained. This enables comparison 
between different countries. Initially IGLAD was funded by the European Auto- 
mobile Manufacturers’ Association (ACEA). In the second phase, which started 
in 2014, the number of variables was extended to 93 regarding accidents, roads, 
participants, occupants and safety systems. Until now only limited data (between 
50 and 200 cases, data years 2007-2012) from 11 countries (Australia, Austria, 
China, Czech Republic, France, Germany, India, Italy, Spain, Sweden and USA) 
have been accessible for research. 


2.8 Accident Data Collections of Automobile 
Manufacturers 


Continuous improvements in the effectiveness of vehicle safety systems currently 
in use remain a prime aim for car manufacturers and component suppliers. 
Therefore, interdisciplinary expert teams collect information on accidents invol- 
ving current vehicles and carry out accident analysis at the scene together with 
hospitals and the police, thereby also fulfilling product monitoring obligations. 

Moreover, manufacturers also analyze complex accident scenarios in order to 
comply with mandatory duty of care and observe potential product dangers that 
may arise during operation. According to Section 823 of the German code of 
civil law (BGB), a car manufacturer is liable for errors of its products’ damages 
resulting from intended or foreseeable use. A manufacturer is therefore obliged 
to collect and analyze information on vehicle use in conjunction with innovative 
systems. The more dangerous a product, the greater is the obligation to ensure and 
monitor a product’s safety during and after the development process (Matthaei et. 
al. 2015), (see Ch. 4). 

As far back as 1969, Mercedes-Benz started investigating road accidents 
involving its Mercedes vehicles in cooperation with the interior ministry of Baden- 
Württemberg. Mercedes’ accident research had access to regular information over 
the telephone and insight into police accident files. Since at least the 1970s, 
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other manufacturers like BMW have increasingly been studying and documenting 
accidents involving their own vehicles. Volkswagen (VW) has obtained informa- 
tion from the insurer’s association Haftpflicht-, Unfall-, Kraftversicherer-Verband 
(HUK-Verband) since the late 1960s and from the Hannover Medical School 
MHH (the predecessor of GIDAS) since 1985. VW accident research has been 
analyzing its own data since 1995 (Zobel R, Winkle T, 2014). 

Detailed, interdisciplinary investigation of accidents by automotive manufac- 
turers especially with the support of function developers involving the latest 
vehicle safety technology provide clear insights into the potential benefits of 
automated systems. However, few hundred cases annually which only involve 
a brand’s own vehicles are not statistically valid. 


2.9 Accident Data of the German Insurance Association 


The German Insurance Association (Gesamtverband der Deutschen Versiche- 
rungswirtschaft - GDV), focuses on damage incidences from motor claims where 
German insurers have to pay compensation based on their contracts. This informa- 
tion helps the GDV for example in grading insurance contracts, or in determining 
the potential savings through driver-assistance systems (Hummel, Kühn, Bende & 
Lang, 2011). 

Insurers’ accident research has access to motor vehicle liability loss and colli- 
sion damage waiver (CDW) cases reported to the GDV. Unfortunately, this data is 
not publicly available. No analysis takes place at the scene. The accidents are not 
recorded comprehensively. As soon as the question of liability to pay has been 
answered, the insurer’s interest in the particularities of a case ends. Therefore, 
there is very little detailed information on the accident cause of undisputed cases. 
In accidents with only one party and one vehicle involved (driving accidents), 
when a driver loses control of the vehicle, the cause of the accident remains 
uninvestigated. (Zobel R, Winkle T, 2014). 


2.10 Accident Data Collections of Consumer Associations 
(ADAC) 


In 2005, the German automobile club ADAC started researching accidents 
involving the ADAC technology center and the ADAC air rescue. Annually, infor- 
mation on around 2,500 serious accidents from rescue flights is collected in the 
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ADAC database. Accident data is supplied from expert reports by motor vehicle 
assessors, the police, emergency physicians and fire departments (Unger, 2013). 

The ADAC accident data lists and describes road accidents with seriously inju- 
red persons. They include aerial pictures including a vehicle’s final position as 
well as an in-depth medical diagnosis. Although the files are not publicly acces- 
sible, it is possible to access and evaluate the data individually. Unfortunately, the 
various persons investigating the accident do not compile their respective results 
for interdisciplinary reflection. 


2.11 The Fundamentals of Accident Data Analysis 
2.11.1 Level of Data Collection versus Number of Cases 


The validity of accident data with regard to potential safety benefits depends to 
a large extent on the collection method. Usually interdisciplinary teams work 
together to carry out so-called in-depth surveys. Well-founded results can be 
achieved when function developers, accident analysis experts, doctors, and traf- 
fic psychologists are all involved in analyzing individual cases. But this depth of 
data collection tends to be restricted to a small number of cases, diminishing its 
statistical validity. 

Evaluations from accident databases give an indication which measures are 
likely to increase traffic safety. A detailed accident analysis including a recon- 
struction of the accident encompasses a retrograde calculation of speeds based 
on traces of the accident, an investigation as to how the accident arose, a check 
for possible accident fraud, consideration to what extent it was avoidable, and 
biomechanics. An extensive knowledge of the given conditions and framework is 
necessary for an evaluation of future systems’ potential benefits based on these 
findings. 

Currently, promising ideas on improving vehicle safety primarily come from 
a combination of accident analysis, existing experience and extensive research 
work. Accident research is one way to review the efficiency of existing automa- 
ted vehicle functions and the need for further safety-enhancing functions. Below, 
basic terms of accident data evaluation will be explained. 
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2.11.2 The Validity of Areas of Action Compared to Areas 
of Efficiency 


When comparing various accident data analyses, the way in which data is collec- 
ted and the way it is processed have to be distinguished. Areas of action adopted 
under optimal conditions are often confused with areas of efficiency under real 
conditions. 

An area of action comprises the accidents which a system can influence. The 
area of action may vary according to how precisely a system’s specification is 
defined. As a result, this is an initial estimate of the maximum potential of the 
automation level in question. On the other hand, the actual resulting efficiency of 
a function is generally significantly lower. Efficiency is defined as the effect that 
a specified system has in practice. It is either proven by occurring accidents (a 
posteriori) or predicted by simulations (a priori) (Winkle T, et. al., 2009a). 

Determining an area of efficiency therefore requires precise knowledge of two 
factors: 


— the system specification with its corresponding function limits 
— the driver’s behavior 


The level of efficiency describes a function’s relative efficiency as a percentage 
and relates to the unspecified term of the area of action (Schittenhelm et. al. 2008): 


area of efficiency _ 
area of action 


x [%] (2.3) 


degree of ef ficiency = 


2.11.3 Potential Safety Benefits Depending on Automation 
Levels and Degree of Efficiency 


Some analyses of potential safety impacts examine the maximum assumed area 
of action described above by using accident databases. In contrast, analyzing the 
degree of efficiency comes closer to reality by evaluating an area of efficiency for 
its actual benefit (Schittenhelm et. al. 2008). However, the resulting safety benefits 
of automated vehicles can only be established after all risks have been factored 
in. The benefit corresponds with the reduction of accident frequency and severity. 
New risks exist since as yet non-existent accidents may occur with increasing 
automation. 
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The theory of inventive problem solving (TRIZ) defines the requirements of an 
ideal machine, using the formula of an ideal final result with an unlimited benefit, 
while incurring no costs or damages (Hummel T, Kühn, Bende & Lang, 2011): 


> benefit oOo œ 
(© costs + X damages) (0+0) © 


ideal final result = © (2.4) 


On the one hand, the safety benefit of connected automated vehicles increases 
in accordance with the degree of efficiency (proof by accident data analysis and 
knowledge of functions). On the other hand, the risks may rise in line with an 
increase in automation (“Driver” versus “Robot’’). These in turn lessen the actual 
safety benefit (see Fig. 2.4). To minimize those potential risks, manufacturers 
carry out risk management (see Ch. 2) using accident data. 
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Fig. 2.4 Consumers’ evaluation of the potential safety benefits is subjective. They weigh 
up the risks and benefits in the relevant contexts as they perceive them. Risks grow with the 
level of automation, benefits with the degree of efficiency. Accident data analysis and risk 
management will allow these to be seen more objectively and optimized. 
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2.12 Significance of Possible Predictions Based on Accident 
Data 


Using exemplary cases, the following meta-analysis shows what conclusions can 
or can’t be drawn about potential benefits based on various accident data. Since 
there have been no analyses yet of highly and fully automated vehicles, we 
will look at systems without automation (“driver only”/’no automation”) or with 
low levels of automation concerning the main driving task (“assisted’’/’ partially 
automated”) first and divide them into a posteriori and a priori analyses. 

Section 1.4.1 contains examples of a posteriori statements on accident data. In 
the definition used here, figures “gained from experience” (Duden, 2014) can be 
interpreted immediately. In contrast, assumptions “obtained by logical reasoning” 
(Duden, 2014) must be made in order to assess the potential benefits of future 
levels of automation when using the a-priori- forecasts defined in Section 1.4.2., 
which are based on accident- data collections. 


2.12.1 A Posteriori Analyses of Accident Data for “Driver 
Only”/“No Automation” 


Past and present a posteriori analyses of accident data collections involving con- 
ventionally (human-) driven vehicles provide insights into accident black spots 
and changes in real-life traffic accidents. This “driver-only”/“no-automation” cate- 
gory means a lack of warnings and interventions in longitudinal and lateral 
guidance by environmental sensors. 

The change in the number of accident fatalities serves as a first example. The 
second example is the positive impact of Electric Stability Control, or ESC (see 
Ch. 2.12.11). 


2.12.1.1 Traffic Statistics: Accident Fatalities Versus Registered 
Motor Vehicles 

The rate of traffic accident fatalities per registered vehicle, taken from data of 
the German Federal Statistics Office shows that death rates have been dropping 
in Germany since 1970 when 21,332 people died in car accidents (Statistisches 
Bundesamt, 2020). Since then, the numbers of injuries and fatalities in road acci- 
dents have been reduced considerably in Western countries due to measures in 
road building, legislation, the rescue chain, emergency medicine, and passive and 
active vehicle safety. These findings are based on large-scale worldwide collected 


2.12 Significance of Possible Predictions Based on Accident Data 23 


surveys and analyses of road accidents. They are affected by various orientations, 
different amount of data and based on investigations of varying depth. 
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Fig.2.5 Reduction of traffic fatalities due to enhanced safety measures in spite of increase 
of registered motor vehicles in Germany 


These accident statistics show that, while the number of registered vehicles 
increased, the number of traffic fatalities dropped from over 21,000 in 1970 to 
almost 3,000 annually. This was due to various legislative, medical, technological, 
and infrastructural measures (see Fig. 2.5). Because of the overlapping of all these 
actions, it is difficult to single out and calculate the effectiveness of any individual 
measure. 


2.12.1.2 Studies on the Effect of “Driver-Only”/“No-Automation” 
Systems 

Introduced in 1995, Electronic Stability Control (ESC) is a technical evolution 
of the electronic antilock braking system, which was largely marketed from 1978 
with the legally protected term ABS. It uses ABS’s wheel speed sensors in con- 
junction with additional sensors for steering wheel angle, yaw rate, and lateral 
acceleration. Using this information, ESC can stabilize the vehicle in case of a 
recognized skid through braking individual wheels independently of each other. 
With this braking intervention, a lateral collision can be converted into a less 
vulnerable frontal crash. In 2001, Daimler accident research posited that 21% of 
skidding accidents led to injuries and 43% to fatalities (Daimler AG Communica- 
tions, 2011). At that time, the findings of accident research experts investigating 
individual accidents on behalf of car manufacturers diverged greatly. Later fore- 
casts of potential benefits based on a larger number of cases also differ. Areas 
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of action from the year 2000, for example, show a positive impact of up to 67% 
for severe skidding accidents (Bengler et. al. 2014). Other studies stated that, 
second only to the introduction of safety belts as a passive safety system, ESC 
provides the most effective gain in safety in the “driver-only” category (Zobel 
et. al. 2010). The proportion of accidents due to driver error and skidding, for 
instance, decreased after the introduction of ESC as a standard in all Mercedes- 
Benz cars from about 2.8 involved vehicles (per 1000 registered in Germany) 
in 1998/1999 to 2.21 involved in 2000/2001. ESC’s high effectiveness has also 
been proven in other brands such as Volkswagen, where statistics show lower 
accident frequency as well as prevention of critical accident types (Langwieder, 
Gwehenberger, Hummel, 2003). 

In summary, safety benefits have already been established for safety-enhancing 
“driver-only” functions with quick market penetration depending on suppositi- 
ons and various data sources. Especially for ESC, the scientific evidence for an 
increase in safety is well-founded. 


2.12.2 A Priori Predictions for Assisted and Partially Automated 
Driving 


A priori predictions depend on hypotheses and inferences. For example, assis- 
ted and partially automated driving functions can keep the driver from imminent 
danger via acoustic, optic or haptic warnings as well as short braking or stee- 
ring interventions with a warning character. However, the danger can only be 
successfully averted if the driver reacts in time and appropriately to the traffic 
situation. 

From a technical viewpoint, these advanced levels of automation, which 
possess a greater degree of extended computer and sensor technology for envi- 
ronmental perception, result in increasingly capable assistance systems. Some 
currently available safety-enhancing driver assistance systems warn the driver 
when there is recognized danger in parallel or crossing traffic. These include 
collision warning systems such as EBA - Electronic Brake Assist, ACC with 
FCWS - Adaptive Cruise Control with Forward Collision Warning System, LKA 
— Lane Keep Assist, LDW - Lane Departure Warning, NV — Night Vision or 
intersection assistance. Other systems, such as Electronic Brake Assist (EBA) or 
Autonomous Emergency Brake (AEB), intervene in the longitudinal and lateral 
vehicle dynamics (see Fig. 2.5). 
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2.12.2.1 Study on the Potential of Lane Departure Warning 

Using the example of a Lane Departure Warning (LDW) system (Hörauf, 
Buschardt, Donner, Graab & Winkle, 2006), road accidents were analyzed by 
doctors, psychologists and development engineers in a cooperative approach in 
2006. The results, which were obtained with the participation of the author of 
this book, a function developer, and a psychologist, were achieved through inter- 
disciplinary research of a car manufacturer, a university hospital, and the police, 
with support from the Bavarian Ministry of the Interior, Building and Transport 
(BStMD. 

Such interdisciplinary analyses of accident causes and consequences are based 
on technical, medical, and psychological examinations by experts from each field, 
which are then integrated collectively. These days, driving-related psychological 
data is collected more frequently in order to analyze a road accident. With the 
help of standardized interviews, the collision experience is recorded and evaluated 
from the driver’s viewpoint. The purely technical reconstruction of the accident 
is now supplemented by a psychological perspective. 

Taking the example of Lane Departure Warning, it was explained to all pro- 
fessional teams involved what system design specifications had to be met. The 
selected accidents were filtered further through specific focused questions from 
the technological development. This kind of procedure provides insight into what 
kind of and how many accidents could be avoided through systems currently 
under development. To achieve this, knowledge of the system’s specific technical 
limits is indispensable. A further outcome may be recommendations for additional 
functional system enhancements (Hörauf, Buschardt, Donner, Graab & Winkle, 
2006). 

Therefore, these detailed accident analyses prove the value of comprehensive 
accident data collection. Experts on technology, medicine, and psychology wor- 
ked together closely for this study. This interdisciplinary approach produces a 
large number of new references regarding accident scenes, vehicle details, injury 
patterns, parties involved in an accident and witness statements. This additional 
information gives insight into active steering corrections, interventions of the bra- 
kes and reactions immediately prior to a collision, since human errors such as 
inattentiveness, distraction or fatigue are the main causes for lane departure. The 
various perspectives from which an interdisciplinary team looks at the accident 
can make computer-aided reconstruction and simulation of an incident highly 
realistic. However, to achieve representative results, these analyses need to be 
validated by larger accident data collections. 
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2.12.2.2 Interdisciplinary Degree of Efficiency Analysis Based 
on Current River Assistance Systems 

Now that the advantages of interdisciplinary analysis had been proven through the 
above-mentioned study on the effectiveness of Lane Departure Warning, a further 
interdisciplinary analysis of the degree of efficiency was conducted four years 
later. The objective was a comparison of available safety-enhancing driver assi- 
stance systems. This project was based on a sample of reconstructed accidents 
(n = 100). Therefore, an interdisciplinary accident data evaluation was carried 
out by the author in cooperation with a psychologist and in close consultation 
with the respective function developers. The study analyzed the effectiveness of 
various driver assistance systems in avoiding accidents with regard to the accident 
situation (Chiellino, Winkle, Graab, Ernstberger, Donner, Nerlich, 2010). In early 
2010, the range of systems available included Night Vision, Lane Departure War- 
ning, Lane Change Assistant and Adaptive Cruise Control. To calculate the degree 
of efficiency, accident research data was weighted according to accident statistics 
for Bavaria. An accident scene was reconstructed for each real-life accident, and 
the accident cause in terms of human-machine interaction was assessed. This was 
done according to the human-machine interactions as described in the ADAS 
Code of Practice definition for the development of Advanced Driver Assistance 
Systems (ADAS) with active longitudinal and lateral guidance (Donner, Winkle, 
Walz, Schwarz, 2007). After a six-year involvement (Becker, Schollinski, Schwarz 
& Winkle, 2003; Becker et. al. 2003), the European Automobile Manufacturers’ 
Association (Association des Constructeurs Européens d’ Automobiles—ACEA) 
published the results in 2009 (Knapp, Neumann, Brockmann, Walz & Winkle, 
2009). The potential for preventing accidents was judged to be positive only if 
every development expert for the relevant system saw its benefits. The results yiel- 
ded that the examined systems were able to contribute significantly to diminishing 
the severity of accidents. 

The study’s prognosis is that the investigated driver assistance systems would 
prevent a substantial number of accidents. A 27% decrease in the total number 
of injured persons was predicted, which means that the number of people injured 
would fall from 126 drivers and 49 passengers (as in the actual data) to 94 and 33, 
respectively. One must keep in mind that the premise for these results is optimal 
reactions regarding human-machine interactions. Further studies with test persons 
are necessary before drawing final conclusions. Moreover, 100% distribution of 
the investigated systems, operating without errors within the system limits, would 
need to be ensured. 

The study used an injury grading system which was based on the Abbreviated 
Injury Scale (AIS) (Association for the Advancement of Automotive Medicine, 
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2005), as also applied in ISO 26262 for functional safety (International Organiza- 
tion for Standardization, ISO 26262-3, 2018). The AIS codes every injury with a 
value between | (light injuries) and 6 (extremely critical or fatal injuries). Thus, 
the most severe injury of all the injuries one person has contracted is defined as 
MAIS (Maximum AIS). An uninjured person is classified as MAIS 0. 

Looking closely at accident causes revealed that over 60% of them invol- 
ved information errors, i.e. failures regarding information access and information 
reception. Therefore, the correspondingly high effectiveness of warning assistance 
systems is hardly surprising (Chiellino, Winkle, Graab, Ernstberger, Donner & 
Nerlich, 2010). 

In summary, this interdisciplinary study compared currently available driver 
assistance, with all respective developers being involved in the analysis. Each 
developer contributed their knowledge of the specific relevant function parameters 
of their system, thus ensuring more accurate assessment of potential gains in 
safety. It has to be born in mind that the sample of 100 cases in the study, weighted 
with representative accident data from Bavaria, is too small to yield statistically 
reliable statements. However, they show a tendency in which cases these driver 
assistance systems contribute significantly to road safety. 

It is noteworthy that there are further possibilities for gaining statistical evi- 
dence regarding the predicted safety benefits of braking assistance and automatic 
emergency braking functions. Moreover, simulations using software-based acci- 
dent reconstructions are immensely useful for assessing the forecast safety gains 
(Busch, 2005). 


2.12.2.3 GIDAS Database Analysis for Potential Safety Benefits 
of Connected Vehicles 

Using a larger data volume, the following analysis of the German In-Depth Acci- 
dent Study (GIDAS) database demonstrates the variety and complexity of several 
assumptions. In cooperation with a team of experts, the author conducted this ana- 
lysis in 2009 as part of the Safe and Intelligent Mobility — Test Field Germany 
(Sichere Intelligente Mobilität: Testfeld Deutschland — simTD) research project 
with a more significant sample. The aim was an assessment of the potential bene- 
fit of future safety-relevant automobile communications systems. The analysis 
included functions for connected systems with an immediate safety impact on 
road traffic. The relevant data was gleaned from 13,821 accidents involving per- 
sonal injury, which had been documented by GIDAS between 2001 and 2008 in 
the areas of Hannover, Dresden, and their surroundings (Winkle, Mönnich, Bak- 
ker & Kohsiek, 2009; Schubert & Erbsmehl, 2013). In order to extrapolate this 
for the whole country, the data obtained from the statistical sampling scheme was 
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weighted with the help of accident statistics from the German Federal Statisti- 
cal Office. These official statistics list all accidents registered in Germany in one 
calendar year which involve personal injury. For example, there were 335,845 
road accidents involving personal injury in 2007 (Statistisches Bundesamt, 2014). 

In several consultations with the simTD function developers and accident 
experts from BMW, Audi, Daimler, Bosch and Volkswagen, the precise varia- 
bles needed for the analysis were agreed on. The project participants decided 
to start with the analysis of 13 safety-related warning functions. They made a 
joint decision to consider relevant vehicles such as cars, trucks, agricultural trac- 
tors, buses, rail vehicles (including city railways and trams, but no state railway 
trains) and motorbikes (motorized two-wheelers, three-wheelers, quad bikes from 
125 cc) during several workshops. After this, the areas of action using the exten- 
sive GIDAS data were determined. Initially this selection was made by using the 
variables from all accidents relevant to each system as they related to the whole 
of the accident occurrence. The result was that, ranging from 0.2% to 24.9%, 
the areas of action for each separately examined function varied greatly. Areas 
of action can therefore give a fairly certain estimate only of the maximum effec- 
tiveness which cannot be exceeded. It should also be noted that due to overlapping 
functions individual areas of action cannot simply be added up (see Annex Fig. 
A.18). 

In order to analyze degree of efficiency, three assumed function types (electro- 
nic brake light, cross traffic assist, traffic sign assist for stop signs) were selected 
from the GIDAS area of action analysis mentioned above. The corresponding 
degrees of efficiency were taken from a reduced sample of driving simulator 
investigations. 

For instance, in accidents where cross traffic assists helped the driver to avoid 
them (see Klanner, 2008), there was a considerable range, from 9.9% to 73.3%. 
This was due to both different driver reaction times and varying braking intensity 
after warnings. Thus, three likely reaction times (0.54, 0.72 and 1.06 seconds) 
and the probabilities for the occurrence of each one were determined. In addition, 
weak braking of 50% of maximum braking pressure was assumed for unsuccess- 
ful reactions and 100% for successful reactions (Winkle, Mönnich, Bakker & 
Kohsiek, 2009; Schubert & Erbsmehl, 2013). 

The objective of this elaborate approach to analyzing degrees of efficiency was 
to determine and evaluate the potential of future, connected, safety-enhancing dri- 
ver assistance functions with statistical relevance. However, the wide range of up 
to 70% which was found decreases the validity and therefore only yields ten- 
dencies and outlooks regarding accidents avoided. This vast scattering is a result 
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of the sensitivity of the parameters depicted above and the warning algorithm in 
question, as in practice drivers’ reaction times and braking intensities vary greatly. 


2.12.3 Potential Safety Benefits and Test Scenarios 
for Development of Highly and Fully Automated Driving 


2.12.3.1 GIDAS Database Expert Estimates Until 2070 

From a technical viewpoint, under favorable conditions current automated vehic- 
les can already autonomously carry out many driving tasks in moving traffic. 
Whereas driver assistance systems merely support the driver, advanced systems 
like highly and fully automated driving temporarily or permanently take on the 
task of driving. 

Highly and in particular fully automated driving is engineered to approach “Vi- 
sion Zero”: traveling as accident-free as possible. Roads and means of sustainable 
transportation ought to be planned and constructed in such a way that there are 
no traffic accident fatalities or severely injured victims. The accident-free vision 
originated in occupational safety and was first applied to road traffic in the 1990s 
in Sweden. The EU backed projects for connected automated vehicles like the 
“Highly Automated VEhicles for intelligent transport” (HAVEit) research project, 
which it sponsored with 17 million Euros. Car manufacturers such as Daimler, 
BMW and Volkswagen/Audi are also working on the vision of accident-free dri- 
ving. Thomas Weber, former Board of Management member of Daimler AG for 
research and development, asserts in an interview: 


“Unser Weg zum unfallfreien Fahren treibt uns an, die Mobilität auch in Zukunft 
für alle Verkehrsteilnehmer so sicher wie möglich zu gestalten.” (Daimler AG 
Communications, 2011) 


(Our ‘path to accident-free driving’ also drives us to design mobility as safely as 
possible for all road users in the future) 


In the first decade of this century, the number of road accidents with a car as 
the main cause and resulting in personal injury fell in Germany from 266,885 in 
2001 to 198,175 in 2010. At 68.7%, cars are still the main cause of road acci- 
dents according to the Federal Statistical Office (2010). The accident types can be 
broken down into the following main categories: Turning at/crossing intersections 
(58,725), parallel traffic (44,812), turning (33,649) and 30,737 dynamic accidents 
(Statistisches Bundesamt, 2014) (see Fig. 2.6). 
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Fig.2.6 Passenger cars as main cause and accident types. Data (Source: Federal Statistical 
Office - DESTATIS, GIDAS) 


To date, we don’t have empirical proof of the cumulative safety increases of 
fully automated driving functions. Daimler compiled one of the first comprehen- 
sive forecasts in vehicle safety and accident research. It investigated the potential 
of automated vehicles regarding accident prevention based on assumed deploy- 
ment and market penetration scenarios. For these they relied on expert estimates, 
third-party forecasts and GIDAS data. The forecast provides an initial rough esti- 
mate and is based on a total of 198,175 preventable accidents caused by cars in 
2010 (see Fig. 2.6). 

The assumptions include changes within each type of accident (parallel traffic, 
stationary traffic, pedestrians, turning at/crossing intersections, turning, dynamic 
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accidents). For instance, the pie charts show that accidents involving a car in 
parallel traffic or losing control will decline by around 15% by 2060 with incre- 
asing automation, while accidents when turning at or crossing intersections will 
proportionately rise by around 10% (Unselt, Schöneburg & Bakker, 2013). 

According to Daimler’s estimates for increasing automation, an overall decre- 
ase of 10% of accidents was achieved by 2020. In the following decades, 
reductions of 19% could be achieved by 2030, of 23% by 2040, of 50% by 2050, 
of 71% by 2060 and almost complete prevention by 2070 (Unselt, Schöneburg 
& Bakker, 2013). The forecast thus predicts that in 2070 an autonomous car will 
cause nearly no accidents, but may be at risk of being involved in serious collisi- 
ons. It can safely be assumed that an automated car will be able to prevent some 
collisions that another vehicle would have caused. However, it should be noted 
that this study does not include accidents caused by other road users. Potential 
technical failures (see Fig. 2.9) are also outside its scope. Furthermore, the data 
stemming from the German Federal Statistical Office, and above all the validity 
of GIDAS, mainly relies on crash and post-crash statements by injured people 
(see Schubert, Erbsmehl & Hannawald, 2012). 


2.12.3.2 World-Wide Accident Data Evaluation for Relevant Traffic 
Test Scenarios 

To obtain a comprehensive evaluation of highly and fully automated vehicles’ 

active safety in a development lifecycle (see Fig. 2.7), the author recommends 

incorporating findings from accident data collections around the world as well as 

analysis of incidents not resulting in injuries, near collisions, traffic simulations 

and weather data. 

Therefore, a first-time area-wide study based on all police reports has been 
carried out. The findings can be supplemented with information from hospitals, 
insurance companies and human behavior models. Once all relevant factors that 
can lead to a collision are known, virtual simulations based on quantitative and 
trained neural (e.g. AI) models can be performed. Possible system responses 
would be classified as true positive/true negative and false positive/false nega- 
tive. The evaluation of automated safety functions should consider all possible 
system responses (Helmer, 2015). 

The aim is to combine all known accidents by using geographically defined 
road accident data in conjunction with high-definition geographic digital mapping 
data (e.g. Google Maps, TomTom, Nokia HERE, OpenStreetMap) as well as traf- 
fic flow data from various sources (e.g. vehicles, cell phones, road traffic devices). 
For example, 
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Fig. 2.7 Recommended method with relevant test scenarios from around the world based 
on comprehensively linked-up, geographically defined accident-, traffic scene-, weather- 
and vehicle operation data pertaining to human and machine perception using Artificial 
Intelligence (AI) with trained Neural Networks for Deep Learning (Cordts M et. al., 2016) 


SAFE ROAD MAPS (http://www.saferoadmaps.org) provides localized col- 
lision data in the US. The UK publishes similar details on www.data.gov.uk; 
these in turn are integrated into the UK Road Accident Map. German regio- 
nal accident data can be obtained from police IT applications. These depend on 
the federal state and include the Geographical Positioning, Analysis, Represen- 
tation and Information System (Geografisches Lage-, Analyse-, Darstellungs und 
Informationssystem—GLADIS), the Road Accident Location Map and Analy- 
sis Network (Verkehrs-Unfall-Lage-Karten und Analyse-Netzwerk -— VULKAN), 
the Geographical Police Information System for Road accidents (Geografisches 
Polizeiliches Informationssystem für Verkehrsunfälle - GEOPOLIS V), the Bran- 
denburg Expert System for the Analysis and Documentation of Accident-Heavy 
Route Sections (Brandenburgisches Expertensystem für die Analyse und Doku- 
mentation von unfallauffälligen Streckenabschnitten - BASTa) or the widely used 
Topographical Electronic Accident Type Map (Elektronische Unfalltypensteck- 
karte — EUSka) (Dick, 2011). 
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Currently, however, there is still a lack of precise specifications for OEM 
(Original Equipment Manufacturers) mass production solutions that are ready for 
market launch as well as reliable descriptions of the functional limits of highly and 
fully automated vehicles. Thus, to date forecasts of potential safety benefits rely 
heavily on numerous assumptions. Reliable data on market launch and penetration 
is also not available. Hence current predictions of potential safety benefits, which 
are solely based on accident data, have limited validity. It is therefore advisable 
to link in-depth accident data collections (e.g. GIDAS) with all available global 
accident data collections and analyses, traffic simulations, vehicle operation data 
and related weather information. 

The learning curve in figure 2.8 demonstrates the increasing amount of availa- 
ble real-world data of automated vehicle functions before and after market launch. 
For the identification of relevant critical scenarios, the author recommends regu- 
lar monitoring and analysis of all available data of automated functions (see also 
Annex A.17). These supply knowledge for sensor simulation, image classificati- 
ons and decision strategies regarding future connected automated vehicles. 
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Fig.2.8 Learning curve: Increase of available real-world data before and after market launch 
of automated vehicle functions to identify relevant critical scenarios for sensor simulation, 
classifications and decision strategies 


34 2 Findings from Traffic Accident Analysis 


2.13 Potential Safety Benefits / Risks and Impacts 
on Testing 


2.13.1 Human Error versus Technical Failure in Full Automation 


Human performance in driving can be increased. The metaphorical example of 
the interaction of horse and rider shows that in the cooperative guidance of move- 
ment (see H-mode) redundant cooperation partners complement each other in 
their abilities with regard to perception and action, such as experience or tiring 
situations (Bengler K, Flemisch F 2011). First of all, a fully automated vehicle 
must reach this safety level. Only fault-free fully automated vehicles will be able 
to come close to “Vision Zero”. On one hand we have to consider the human 
error in the causes of accidents on the other hand driving experience should not 
be underestimated. Machines can only handle driving situations that have been 
programmed. Beyond that, fully automated self-driving cars are restricted due to 
physical or technical limits. 

Based on the GIDAS accident database, the left-hand side of Fig. 2.9 shows 
the statistical distribution of accident causes. At 93.5%, “human error” is the 
main reason for road accidents. Compared to that, the impact of unfavorable 
driving conditions or the environment (for example road surface quality or the 
weather) is at 4.6% quite low, with technical failure being even lower at 0.7% 
(Volkswagen/German In-Depth Accident Study, 2010). 

Naturally, the possibility of accidents due to driver error is eliminated com- 
pletely during fully automated driving sections. The “technical failure” category 
could therefore increase proportionally, with the added technical risks of full auto- 
mation. As a consequence, the public can be expected to give it more attention 
(see Fig. 2.9). 

In the future, further evaluation and overcoming human error processes in real- 
life traffic situations (supplemented by global relevant test scenarios which are 
based on comprehensively linked up and geographically defined accident-, traf- 
fic flow- weather- and vehicle operation data collections) will facilitate virtual 
traffic simulations for safe development, tests and validation of automated cars 
(Kompass, Helmer, Wang & Kates, 2015). 
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Fig. 2.9 Today 93.5% of accidents are due to human error. With full automation, human 
error would be eliminated. As a consequence, the proportion of technical failure may appear 
considerably greater in the future. Data (Source: GIDAS) 


2.13.2 Potential Safety Benefits - Human and Machine 
Performance 


Car traffic safety today relies mostly on human skills and their support by 
safety-enhancing systems. Fully automated vehicles will depend only on machine 
performance. According to the level of automation, humans’ perceptions, experi- 
ence, judgment and capacity to react will be replaced by technical systems. The 
potential safety benefits as well as the risks of increasingly automated driving 
can be attributed to the various strengths and weaknesses of both humans and 
machines. 

For instance, machines can neither react appropriately to unknown situations 
nor interpret the movements of children (see Dietmayer et. al., 2015; Dietmayer, 
2016). On the other hand, people can be inattentive, misjudge speeds and distan- 
ces and have a more restricted field of vision than machines (Knapp, Neumann, 
Brockmann, Walz & Winkle, 2009). 
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2.13.3 Artificial Intelligence versus Human Perception Limits 
and Consequence 


To demonstrate the limited machine perception and Artificial Intelligence in com- 
parison with human perception, a simplified model of current sensor technologies 
in use is described below. A vehicle requires sensors in order to collect informa- 
tion about its environment. Sensors can be classified according to their physical 
measuring principle. Cars mainly use radar, lidar, ultrasound sensors, near and far 
infrared, and cameras (see Maurer, 2000; Siedersberger, 2003). 

The top and center image of figure 2.10 illustrate simplified and color-coded 
measuring principles that lead to limited machine perception. The bottom image 
superimposes all the above-named measurements onto what human drivers can 
see in difficult light- and weather conditions (sun, backlight, wet road surface, 
spray/splashing water, icing/contamination of windshield/sensors, road markings 
only partially visible). A closer look shows that the radar reflection point (blue) 
on the left is a false detection, which has been caused by a reflection in the other 
lane (see Becker et. al. 2004; Donner et. al. 2004). 

Figure 2.10 illustrates that the outcome of machine perception and interpre- 
tation of complex traffic situations continues to present development engineers 
with considerable technical challenges. These include detecting static and dyna- 
mic objects, physically measuring them as accurately as possible, and allocating 
with the correct semantic meaning to the detected objects (see Dietmayer, 2016). 

Difficult light- and weather conditions challenge human and machine percep- 
tion in real traffic situations. For this purpose, area-covering accident data analyses 
are able to indicate temporally and geographically related accident black spots. To 
analyze scenarios with reduced visibility due to fog, rain, snow, darkness and glare 
from sun or headlights, the author carried out a first-of-its-kind area-covering acci- 
dent study in cooperation with Christian Erbsmehl from Fraunhofer Institute for 
Transportation and Infrastructure Systems IVI in Dresden (see Ch. 3). 


2.13.4 Human Error versus Artificial Intelligence Incertitudes 


Advancing vehicle automation of the main driver tasks result in new research 
questions. Attentive and vigilant drivers have substantial skills to deescalate 
dangerous traffic situations. Human’s capabilities provide significant input for 
traffic safety today. Differentiated potential benefit estimates would need to com- 
pare the performance of humans and machines. Especially takeover situations 
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Fig. 2.10 Machine versus human perception (top image: radar in blue with lidar in yellow, 
center image: addition with Artificial Intelligence camera image processing in green and red, 
bottom image: overlay of machine perception with Artificial Intelligence, image recognition 
and human perception) 


between driver and machine involve new challenges for design and valida- 
tion of human-machine interaction. Initial tests at the chair of Ergonomics at 
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Technical University of Munich (TUM) demonstrate relevant ergonomic design 
requirements which will be continued (Bengler, 2015). 

Fundamental correlations between automation and human performance can be 
evaluated by many methods. It is possible to identify the probability of a road 
accident by the use of a fault tree. Amongst others the probability includes human 
failure, inappropriate behavior and the existence of a conflicting object (Reichart, 
2000). The choice of actions to avoid a collision is greater, if the potential road 
accident is less imminent. 

The evaluation of driver behavior requires observations for a longer period. 
Regarding human failures analyzing the perception process chain provides in- 
depth knowledge. Such analyses draw on evaluations of psychological data from 
road accidents (Gründl, 2006). In terms of interdisciplinary accident analysis, 
an error classification of five categories has approved by practical experience in 
accident research. This five-steps method is a further development of ACASS 
(Accident Causation Analysis with Seven Steps). It was developed jointly with 
GIDAS along the lines of the seven-step principle from Jens Rasmussen, for- 
mer system safety and human factors Professor in Denmark, a highly influential 
expert within the field of safety science, human error, risk management and acci- 
dent research (Rasmussen, 1982). Using the five-steps method it is possible to 
identify human errors, define the time during the perception process from acces- 
sing the information to operation, and to evaluate the particular type of error (see 
Fig. 2.11). The associated questions concern: Information access (was the rele- 
vant information of the traffic-situation objectively accessible to the driver? Was 
the field of vision clear?), information reception (did the driver observe the traffic 
situation properly and perceive/detect the relevant information subjectively?), data 
processing (did the driver correctly interpret the traffic situation according to the 
available information?), objective target (did the driver decide appropriate to the 
traffic situation?), and operation (did the driver carry out his or her decision into 
operation properly?). 

Using this classification, the accident analysis shows that the predominant 
sources of human error lie in information access and reception (see Fig. 2.11); 
(Chiellino, Winkle, Graab, Ernstberger, Donner & Nerlich, 2010; Weber, Ernst- 
berger, Donner & Kiss, 2014). 

Regarding accident statistics with reference to human driving errors as the 
stated cause of accidents, the proportion of driving failures is quantified with: 
93.5% (source GIDAS). In addition, probabilities are indicated with: evasive stress 
action to mitigate imminent crash is indicated by p = 0,1 ... 1; evasive action with 
sufficient time gap is indicated by p = 10°! ... 107? and trained lane keeping is 
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Fig. 2.11 Distribution of human error in road traffic (see Chiellino, Winkle, Graab, 
Ernstberger, Donner & Nerlich, 2010; Weber, Ernstberger, Donner & Kiss, 2014) 


indicated by p = 10% ... 10° (Bubb H, Bengler K, Griinen R-E, Vollrath M, 
2015; see also Fig. 4.11). 

For Artificial Intelligence perception, Klaus Dietmayer, Professor in Ulm at the 
Institute of Measurement, Control, and Microtechnology, Expert for Information 
fusion, Classification, Multi-Object Tracking, Signal processing and Identification 
(see Dietmayer, 2016) names three essential domains of incertitudes correspon- 
ding to human information access as well as data processing. These three are: 
firstly state-, secondly existence-, and thirdly class uncertainty. All three have a 
direct impact on machine performance. If the uncertainties in these areas increase 
beyond a yet to be defined “tolerable limit”, errors in the automatic vehicle gui- 
dance can be expected. In terms of making forecasts, only an indication of trends 
is currently possible. 


“While the currently known methods for estimating state and existence uncertainties do 
not enable a current estimation of the capability of the machine perception, in principle 
it is not possible to predict degeneration in the capability of individual sensors or even 
a failure of components.” (see Dietmayer, 2016) 
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2.13.5 Potential Safety Benefits of Fully Automated Vehicles 
in Inevitable Incidents 


When analyzing the potential safety benefits of fully automated vehicles, it is also 
important to consider persistent risks in the area of complex traffic situations and 
today’s known inevitable incidents. These include accidents at poorly visible and 
unclear intersections or behind visual obstructions. In a study of individual cases 
as part of a doctoral thesis at the University of Regensburg, visual obstruction was 
identified as a contributory cause in 19% of all cases (Gründl, 2006). Examples 
include trees, bushes, hedges, and high grass. Obstructions for instance may also 
be the cause of an accident if a child running out suddenly and unexpectedly in 
front of a car from between parked vehicles or a yard entrance. 

This especially includes errors in the sequences of the perception process, in 
the accessing and reaches its limits. 


“Due to the large number of possible and non-predictable events, especially the reactive 
actions of other road users, the uncertainties increase so strongly after around 2 s to 3 s 
that reliable trajectory planning is no longer possible on this basis.” (see Dietmayer, 
2016) 


Therefore experience-based, internationally valid guidelines with virtual simula- 
tion methods for verification of automated vehicles and final testing of the overall 
system limits in a real environment are recommended. This includes interaction 
tests with control algorithms and performance verification of real sensors in real 
traffic situations, particularly at the time just before a collision (Schöner, Hurich, 
Luther & Herrtwich, 2011; Schöner, 2015). 


2.14 Conclusion and Outlook 


The findings from road accident research confirm: human failure is the main 
cause of road accidents. This especially includes errors in the sequences of the 
perception process, in the accessing and reception of information. 

In order to estimate the potential safety benefits of highly and fully auto- 
mated vehicles from accident data, a sophisticated comparison of the overall 
performance of humans and machines is required (see Annex Fig. A.16). This, 
however, will only be possible when precise knowledge is available concerning 
the functional characteristics and technical limits of developments planned for 
mass production. 
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Statistically verified expert assessments have already proven the potential bene- 
fits of future safety-supporting vehicle and driver assistance systems. Even before 
development begins, the developer can assess potential benefits. Additionally, by 
analyzing and evaluating traffic accidents after market launch, car manufacturers 
can fulfill their product monitoring obligations. 

Overall, the results of road accident analysis today verifiably show that 
automating driving tasks from the “driver only”, “assisted”, up to “partially auto- 
mated” driving categories are key technologies in contributing to minimizing the 
consequences of human failure. 

Forecasts for highly and fully automated vehicles, generated using traffic acci- 
dent data, only give results based on numerous assumptions. A forecast of fully 
automated vehicles’ potential safety benefits came from a first Daimler acci- 
dent research appraisal that is based on several expert assumptions. According to 
Daimler’s estimates, practically complete elimination of accidents is possible by 
2070 — assuming successful market penetration. However, according to the defi- 
nition given in the publication only accidents triggered by cars were looked at, 
and no consideration was given to physical limits and potential technical defects. 
This appraisal is thus based on some assumptions still to be refined and validated 
more detailed in the future. 

Above all, the possible technical potential (for example, unknown advances in 
Artificial Intelligence for machine perception) limits an accurate forecast. In par- 
ticular, development engineers are faced with considerable technical challenges 
when perceiving and interpreting complex traffic situations. Furthermore, human 
performance is often underestimated. According to findings from traffic accident 
analyses, assistance and partially automated systems are generally capable to com- 
pensate weaknesses of human capabilities. They can increase safety in routine 
human driving situations with supervision, warnings and lateral or longitudinal 
support. On the other hand, to further reduce the number of traffic accidents, dri- 
verless vehicles must at least match the driving skills of an attentive human driver 
(supported by assistance and partly automated systems) before series development 
can be considered. Only when these technical barriers have been overcome, can 
a large-scale rollout of marketable fully automated vehicles be expected. 

Until then (as an alternative measure for the assessment of potential safety 
benefits) assumptions of an assumed technical system configuration and system 
design have to be made without knowing the system limits or failure rates. 

In summary, the following issues limit the validity of the potential safety bene- 
fit forecasts from “driver-only” to fully automated vehicles and will have impact 
for testing: 
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— Fully automated vehicles’ degree of efficiency cannot be precisely quantified at 
present, as numerous technical and market-specific factors are still not known 
in detail. The evaluation of automated safety functions has to consider all 
possible system responses: True positive (or negative) and false positive (or 
negative). 

— The potential safety benefits stated four levels of automation so far (from 
driver-only to advanced functionalities) and should be judged and used with 
care, depending on the data used. The validity and forecasting reliability of 
the data material both depend on the selection and evaluation of available 
parameters. 

— Various approaches to evaluating potential benefits are to be compared with 
each other under expert consideration. Areas of action show the ideal maxi- 
mum of possible preventable road accidents. In contrast to this is the actual 
identifiable efficiency, which is considerably lower. 

— The validity of evaluation methods can vary greatly: In addition to experienced 
accident investigators, it is recommended to involve medics, psychologists 
and development experts for automated functions in the analyses. Such multi- 
layered background information allows him or her to get a complete overview 
of a complex accident incident and reconstruct or analyze it more precisely 
than a colleague without this detailed knowledge. 

— There are often many overlapping areas of action within and between analyses 
of potential benefits reducing the overall area of action. 

— To obtain further findings for the development and design of safe automa- 
ted vehicles (see Ch. 2), existing in-depth surveys of severe road accidents 
involving personal injury (e.g. GIDAS) should be combined with available 
area-covering accident collision data, digital geographic mappings, weather 
data and virtual traffic simulations (see Ch. 3). 

— Starting from the level highly automated and beyond, persons involved in an 
accident have — temporarily at least—no responsibility for the controllability 
of the vehicle. Measures to reduce risks and guarantee the functional safety of 
electrical and/or electronic systems are thus of prime importance. 

— It may be assumed that individual accident scenarios may still arise as a result 
of increased degrees of automation, right up to full automation in spite of 
rule-consistent way of driving. This applies, for instance, to physical driving 
limits or time-critical situations, such as a child running suddenly in front of a 
vehicle. 

— Area-wide accident analyses provide relevant scenarios for testing and veri- 
fication of automated vehicles including virtual simulation methods, but final 
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testing of the overall system limits in a real environment will not be completely 
eliminated. 


Even if the technology of driverless cars never reaches 100% perfection, and a few 
as yet unknown accident scenarios arise as a result, the vision of area-covering dri- 
verless vehicle use in road traffic appears to promise a socially desirable benefit. 
Research activities that make use of interdisciplinary experts working on vehicle 
automation should therefore be promoted and strengthened. It is recommended 
to combine in-depth accident data with all worldwide geographically defined 
accident data collections, related weather- traffic flow and vehicle operation data 
information considering data protection measures. This will lead to actual safety 
benefits and statistically relevant scenarios for development including validation 
or testing of automated driving pertaining to machine versus human perception. 
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Analysis of Poor Visibility Real-World 
Test Scenarios 


The contents of the following chapter were already published within “European 
Transport Research Review” (Winkle T, Erbsmehl C, Bengler K, Area-wide real- 
world test scenarios of poor visibility for safe development of automated vehicles, 
2018). 

With regard to requirements for system validation and testing of automated 
vehicles for successful development, market launch and social acceptance, the 
available information content of all daily traffic accidents has not yet been fully 
exploited. It goes without saying that automated series production vehicles have to 
be safe under all conceivable real-world traffic situations. This also applies under 
all weather conditions or in the case of micro accidents with the slightest damage 
similar to a near-accidents. In order to develop and validate such vehicles with 
reasonable expenditure, a first area-wide analysis based on 1.28 million police 
accident reports was conducted including all police reports in Saxony from 2004 
until 2014 concerning bad weather conditions (German traffic accident report: 
forms and subject areas; see Annex Fig. A.1). 

Based on this large database, 374 accidents were found with regard to percep- 
tion limitations for the detailed investigation. These traffic scenarios are relevant 
for automated driving. They will form a key aspect for future development, 
validation and testing of machine perception within automated driving functions. 

This first area-wide analysis does not only rely on random checks as in current 
in-depth analyses but provides real-world traffic scenarios knowing the place, time 
and context of each and every accident over the whole investigated area. 
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3.1 Motivation 


Automated research vehicles increasingly show higher levels of automation than 
present series production vehicles. Even when using highly automated functi- 
ons, the driver is temporarily only limited to control the vehicle having a safe 
and collision-free journey (Gasser T, et. al. 2012; Society of Automotive Engi- 
neers SAE international 2014; National Highway Traffic Safety Administration 
NHTSA, 2013). 

Despite numerous unknown accident avoidances, the safety significance is evi- 
dent since the example of a first fatal crash while driving with the so-called 
“Autopilot” vehicle in Florida 2016 on May 7. According to the accident report, 
the driver of a passenger car died in this collision with a tractor trailer: 

“Vehicle 01 (V01) was traveling westbound on US-27... proceeded to make a 
left turn ... V02’s roof struck the underside of VO1’s trailer ... Driver 02 ... was 
pronounced deceased ...” (Fulton, D. M, 2016) 

Tesla Motors, the manufacturer of the car, subsequently acknowledged that the 
car was in “Autopilot” mode. The system failed to recognize a white object against 
a brightly lit sky as a tractor trailer and therefore did not activate an emergency 
braking. Meanwhile the driver was watching a film. 

Measures to reduce such risks and guarantee the functional safety of electrical 
and/or electronic systems are thus of prime importance. Automobile manufac- 
turers have to consider limitations how machines perceive, process and react 
adequately to their surroundings so that automated vehicles will conduct a conflict 
and collision-free journey (Matthaei R, Reschka A, Rieken J, Dierkes F, Ulbrich 
S, Winkle T, Maurer M, 2015). In addition, extended concepts for human machine 
interaction of highly automated functions are arising at takeover situations (Beng- 
ler K, Flemisch F, 2011; Bengler et. al. 2018). A prerequisite for this is further 
technological development of assistance systems with more capable sensor and 
information technologies, allowing for a steady automation of driving tasks in 
vehicle control, right up to self-driving vehicles (Bengler K, Dietmayer K, Far- 
ber B, Maurer M, Stiller C, Winner H, 2014). Vehicles supported by partly or 
fully automated systems, must — at the very minimum — match the driving skills 
of an attentive human driver, before considering series development. The mea- 
sures necessary for ensuring a correspondingly high functional reliability extend 
from the development stage to the entire life cycle of automated vehicles, and 
especially its electronic components. 

For a safe development through minimizing risks, manufacturers carry out risk 
management (Donner E, Schollinski H-L, Winkle T, et. al. 2004). Amongst other 
measures (see Fig. 4.9) risk management takes real-world scenarios based on 
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accident data into account. However, until now mainly random samples of traffic 
accident research have been carried out by various organizations. Their research 
encompasses the subfields of accident surveys/statistics, accident reconstruction, 
and accident analysis (Chiellino U, Winkle T, Graab B, Ernstberger A, Donner E, 
Nerlich M, 2010). 

The currently best-known method for the evaluation of active safety systems 
and automated systems is dynamic forward calculation based on real pre-crash 
scenarios of traffic accidents (Erbsmehl C, 2009). It is carried out by means of 
various tools, for example rateEFFECT (Lutz L S, Tang T, Lienkamp M, 2012) 
or (PreScan Tass International, 2016). One of the biggest simulation databases, 
the pre-crash matrix of Traffic Accident Research Institute of TU Dresden GmbH 
(VUFO GmbH), was first introduced in 2013 and offers a range of about 5,000 
pre-crash scenarios based on the GIDAS database, which can be used for simulati- 
ons (GIDAS - German In-Depth Accident Study). Furthermore, other institutions 
such as the Hannover Medical School, as well as vehicle manufacturers and the 
German insurance industry, all carry out their own accident research. Central to 
this is investigating accidents directly at the scene, statistically recording and ana- 
lyzing them according to certain characteristics, and, where needed, using this to 
further develop effectiveness of future vehicle automation (Langwieder K, Bengler 
K, Maier F, 2012). 

Accident databases can be divided into two different kinds: the so-called in- 
depth databases such as GIDAS (Germany), INTACT (Sweden), iGLAD (EU), 
NASS-CDS (US National Automotive Sampling System, Crashworthiness Data 
System) or CIREN (US Crash Injury Research and Engineering Network, and 
secondly national statistics (e. g. Destatis). 

In-depth databases normally contain fewer accidents with many detailed varia- 
bles (GIDAS in Germany contains around 2,000 accidents per year with up to 
3,000 variables). Conversely national statistics cover the huge amount of all recor- 
ded accidents (e.g. 2.4 million registered accidents in Germany) but only give 
limited information about these collisions. 

In contrast to the two above, the scenarios in this publication provide both: a 
large database and more extensive information from police recording with regard 
to standardized validation and testing. For the following analysis 1.28 million 
area-wide police accident data between 2004 and 2014 from the Saxony State 
Interior Ministry (Sächsisches Ministerium des Inneren SMI) were used. The data- 
base covers all traffic accidents on the entire road network of Saxony. Exclusive 
access to the corresponding database was provided by Fraunhofer Institute for 
Transportation and Infrastructure Systems (IVI). The process of this evaluation in 
cooperation with Fraunhofer IVI is based on 297 standardized types of accidents. 
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The following questions will be discussed, using the database provided by the 
SMI: 


— Which factors support a safe development, validation and ethical testing? 

— What is the significance of bad weather conditions, based on a first area-wide 
analysis of traffic accidents in Saxony, regarding the introduction of automated 
vehicles? 

— Which real-world scenarios are relevant for the development, evaluation and 
testing of automated vehicles? 


3.2 Safe Development, Validation and Testing 
3.2.1 Return of Feedback from Lifecycle of Automated Vehicles 


A safe development for safe automated vehicles is a key requirement. It also 
relates to the interaction between the vehicle and its environment. Using the sup- 
port of systems with lower automation degrees requires a save driver interaction 
including safe take-over procedures (Matthaei R, Reschka A, Rieken J, Dierkes 
F, Ulbrich S, Winkle T, Maurer M, 2015; Bengler K, Zimmermann M, Bortot D, 
Kienle M, Damböck D, 2012). Development with regard to safe usage of driver- 
less vehicles must ensure ability to recognize the criticality of a situation, decide 
on suitable measures for averting danger (e.g. degradation, driving maneuver) that 
lead back to a safe state, and then carry out these measures. 

To fulfill the required safety confirmation, Fig. 4.14 recommends a circuit of 
working methods from the development team which can be supported by addi- 
tional experts, confirmation tests using relevant test scenarios and monitoring 
automated vehicles after market introduction up to decommissioning. In the final 
stages of developing an automated vehicle, the development team has to verify 
that a vehicle reacts as previously predicted or in other ways appropriate to the 
situation. 

There are three valid methodologies to prove the safety confirmation. A direct 
sign-off will be carried out through an experience-based recommendation of the 
automated vehicle development team itself. In addition, final evidence of safety 
can be passed after corresponding reconfirmation via an interdisciplinary forum of 
internal and external experts or an objective proof. Evidence of functional safety 
is possible via means of a confirmation test with relevant traffic scenarios. They 
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are based on real-world scenarios with weather data (see Ch. 3), vehicle operation 
data, or other verifiable samples from monitoring of operation and service until 
decommissioning. 

This book provides selected traffic scenarios to configure and perform confir- 
mation tests for example virtual-, trial area- or field tests of automated vehicles. 
Starting from chapter 3, relevant real-world scenarios with reduced visibility for 
human and machine perception were considered. The scenarios were analyzed 
from traffic accident police reports with difficult weather conditions. 


3.2.2 Requirements for Automated Driving to Minimize Risk 


The selected scenarios from chapter 3 also support the fulfillment of requirements 
for automated vehicles. A minimum requirement any vehicle must meet—in order 
to be marketed by a manufacturer — is compliance with directives and regulations. 

For safe automated driving functions, interdisciplinary coordinated develop- 
ment and approval processes are required, which permanently have to be adopted 
for new technologies. Standards and technical specifications with regard to auto- 
mated or assisted vehicle functions have been growing steadily over the last years. 
As a part of the obligation to ensure traffic safety, new requirements for designing 
automated vehicles will be developed incrementally and previous approaches will 
be adapted. In particular minimizing risks, hazards or damage can prevent tech- 
nical failures. Examples of requirements in the European Union or the United 
States can be divided in two categories (see Fig. 3.1): Type approval (grey) and 
duty of care (blue). 


3.2.2.1 Requirements for Duty of Care 

To demonstrate Duty of Care, ISO standards from the International Organization 
for Standardization (ISO) have to be proved as a state-of-the-art requirement. Over 
the years, many ISO standards elaborate for new automated vehicle functions (see 
examples in Fig. 3.1). They include: ACC Adaptive Cruise Control (ISO 15622), 
APS Assisted Parking System (ISO 16787), CSWS Curve Speed Warning System 
(ISO 11067), ERBA Extended Range Backing Aid (ISO 22840), FVCWS For- 
ward Vehicle Collision Warning System (ISO 15623), FVCMS Forward Vehicle 
Collision Mitigation System (ISO 22839), Automotive Cybersecurity (ISO 21434) 
and ISO TR 4804 following by ISO TS 5083 Safety and cybersecurity for 
automated driving systems. 
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Fig. 3.1 Requirements for Type Approval and Duty of Care to minimize risk, hazards and 
possible damage of automated driving [3], [16], [18] 


The design of automated systems from an ergonomic point of view is a key 
issue as well. Examples for standards based on ergonomic aspects of transport 
information and control systems are: Calibration tasks for methods which assess 
driver demand due to the use of in-vehicle systems (ISO 14198), specifications 
and test procedures for in-vehicle visual presentation (ISO 15008) or a simulated 
lane change test to assess in-vehicle secondary task demand (ISO 26022). Cen- 
tral requirements for safe development are considered in standards such as the 
ADAS Code of Practice definition for Level 0-2 Systems (Knapp A, Neumann 
M, Brockmann M, Walz R, Winkle T, 2009), Code of Practice for Automated 
Driving for Level 3-4 Systems (Annex Fig. A.8), ISO 22737 Intelligent transport 
systems — Low-speed automated driving (LSAD) systems for predefined routes 
— Performance requirements, system requirements and performance test proce- 
dures, ISO 26262 functional safety (ISO 26262-3, 2018) or ISO 21448 (Publicy 
Available Specification PAS) (ISO/PAS 21448, 2019). Overall, the 2009 SOTIF 
ISO standard supports the SOTIF Safety Of The Intended Functionality, a part of 
technical safety that deals with the hazards of technical systems. At the heart of 
SOTIF is the uncertain question of how to specify, develop, verify and validate 
an intended function so that it can be considered reasonably safe. Accordingly, 
the following questions must be considered when designing a driver assistance 
system with regard to SOTIF: 
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What are the limitations of the sensors you use? 
How do the actuator limits affect the intended function? 
How can the driver incorrectly use an assistance system? 


Which verification and validation measures have to be taken to test the intended 
function? 


Ergonomically the demands for automated driving systems can be assigned to all 
three levels of tasks while driving: 

Primary tasks include everything that is directly involved in the driving task, 
such as longitudinal and lateral guidance. Secondary tasks support safe driving, 
including activating the windshield wipers or headlamps, which today are usually 
automatically operated by assistance systems. Tertiary tasks to control infotain- 
ment systems in the vehicle, such as radio, navigation system, telephone or other 
information from the internet are increasingly requested. To this day, due to safety 
reasons the primary driving task should always be at the center of the attentive 
driver. 

The focus of the following schematic representation is on the capabilities of 
sensor technology and data processing particularly with regard to those functions 
that relate to the primary driving task (navigation, maneuvering and stabilization). 
Especially by supporting the maneuvering task, driving in the corresponding dri- 
ving sections has changed significantly compared to previous driving habits (Bubb 
H, Bengler K, Grünen R-E, Vollrath M, 2015). 

While ISO standards in the EU tend to have more of a minimum requirement 
character, safety standards set by SAE International in US and Canada are seen 
as legally binding. SAE International was initially established as the Society of 
Automotive Engineers (SAE) and coordinates the development of technical stan- 
dards for engineering professionals in various industries. Currently several SAE 
Standards for several functions, including Adaptive Cruise Control (ACC) and 
Pedestrian Collision Mitigation System (PCMS) exist (see Fig. 2.5). 


3.2.2.2 Requirements for Type Approval 

In order to introduce an automated vehicle with all its components into the inter- 
national market, it is necessary to comply with the required market-specific type 
approval regulations. 


— EU market: 
For the EU member states and other contractual partners, harmonized regula- 
tions apply. To receive type approval of motor vehicles especially provisions 
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for braking and steering set by the Economic Commission for Europe of the 
United Nations (UN/ECE) must be fulfilled. Each country that joined the 1958 
Agreement or the 1998 Agreement on Global Technical Regulations (GTRs) 
has the authority to test and approve manufacturer’s designs. The Harmoniza- 
tion of Vehicle Regulations starts with exemplary requirements such as ECE R 
1 (headlights) and goes up to ECE regulation number R 13 with uniform pro- 
visions concerning the approval for braking comply with automated driving 
systems. In contrast, ECE R 79 (revision 2, chapter 5) construction provisi- 
ons with regard to steering equipment already have limitations for “low speed 
maneuvering or parking operations”. Other relevant examples are constantly 
expanding: ECE R 130 and ECE R 152 (Lane Departure Warning System 
LDWS), ECE R 131 (Advanced Emergency Braking Systems AEBS), ECE R 
151 (Blind Spot Information System for the Detection of Bicycles), ECE R 
155 (Cyber Security), ECE R 156 (Software Updates) or specifically the ECE 
R 157 (Automated Lane Keeping Systems ALKS). The UN ECE regulation 
R 157 allows temporary hands-free driving when a belted driver is availa- 
ble on motorway-like roads under suitable environmental and infrastructure 
conditions with a maximum speed of up to 60 km/h: 


“Automated Lane Keeping System (ALKS) for low speed application is a system which 
is activated by the driver and which keeps the vehicle within its lane for travelling 
speed of 60 km/h or less by controlling the lateral and longitudinal movements of the 
vehicle for extended periods without the need for further driver input.” 


The Vienna Convention on Road Traffic is designed to facilitate international road 
traffic and to increase road safety by establishing standard traffic rules among 
the contracting parties. The convention was agreed upon at the United Nations 
Economic and Social Council’s Conference on Road Traffic in 1968. It stipulates 
that the driver has to control the vehicle under all circumstances. 

In 2014, the Convention was supplemented by a paragraph in Article 8: 


„Vehicle systems which influence the way vehicles are driven shall be deemed to be 
in conformity with paragraph 5 of this Article and with paragraph 1 of Article 13, 
when they are in conformity with the conditions of construction, fitting and utilization 
according to international legal instruments concerning wheeled vehicles, equipment 
and parts which can be fitted and/or be used on wheeled vehicles” ... 
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“Vehicle systems which influence the way vehicles are driven and are not in conformity 
with the aforementioned conditions of construction, fitting and utilization, shall be 
deemed to be in conformity with paragraph 5 of this Article and with paragraph 1 of 
Article 13, when such systems can be overridden or switched off by the driver ...” 


This means that new systems are also considered to be consistent if they comply 
with the approval regulations, in essence the ECE directives. If they do not comply 
with the regulations, they should be considered to be in accordance if they can be 
overridden or switched off by the driver. 

A future goal for fully automated vehicles is the modification that they will 
be treated like human drivers (United Nations Economic and Social Council’s 
Conference on Road Traffic in 1968). 


— US market: 


In order to sell a motor vehicle in the North American market, a vehicle manu- 
facturer must certify that the vehicle meets performance requirements specified in 
the Federal Motor Vehicle Safety Standards (FMVSS). US and Canadian vehicle 
safety regulations operate on the principle of self-certification. The manufacturer 
or importer of a vehicle or item of motor vehicle equipment certifies, asserts and 
promises that the vehicle or equipment complies with the safety standards. 

The FMVSS encompass 73 separate standards that generally focus on crash 
avoidance, crashworthiness, and post-crash survivability. First introduced through 
the National Traffic and Motor Vehicle Safety Act of 1966, these standards have 
been developed with the assumption that vehicles are driven by a human driver. 
However, a review in 2016 revealed that there are few barriers for automated 
vehicles to comply with FMVSS, as long as the vehicle does not substantially 
deviate from a conventional vehicle design. Two standards (theft protection and 
rollaway prevention FMVSS 114 and light vehicle brake systems FMVSS 135) 
were identified to be updated for automated vehicles with conventional designs 
(Kim A, Perlman D, Bogard D, Harrington R, 2016). 


3.3 Real-World Scenarios for Development and Testing 


3.3.1 Machine versus Human Perception Limits 
with Consequences for Testing 


To illustrate the challenge of human perception and furthermore the limited 
performance of machine perception with Artificial Intelligence under difficult 
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weather conditions, one example has been demonstrated previously. This exam- 
ple results from the comprehensive accident analysis of accidents with restricted 
visibility described in detail later in this chapter. The real-world situation below 
(Fig. 3.2) considers the single fatal pedestrian accident which was found in this 
analysis. The translated police accident report describes the circumstances as 
follows: 


... The pedestrian 01 walked along State Road S 227. He was on the left 
side of the road. Approximately 100 meters after a branch a collision with the 
oncoming car 02 occurred. The pedestrian was under the influence of alcohol 


Fig. 3.2 represents the real accident scene before collision including a simpli- 
fied model of currently available sensor technologies with image recognition and 
Artificial Intelligence. To be able to collect information about its environment, 
a vehicle needs sensors, which are classifiable according to their physical mea- 
suring principle. The automobile sector mainly uses Radar, Lidar, near and far 
infrared, ultrasonic sensors, and cameras. Camera sensors have limited perceptual 
performance in the dark. Lidar and radar sensors are even active sensors. They 
actively emit laser pulses in the infrared range or radar radiation and measure 
the distance to objects, their relative speed and their size on the basis of reflec- 
tions. These sensor principles work quite reliably in clear visibility and darkness 
without additional weather restrictions like snow in this example. 

The upper and center images of Fig. 3.2 show what humans might perceive 
among difficult light- and weather conditions (rain, snow, backlight, wet road 
surface, spray/splashing water, icing/contamination of windshield/sensors, road 
markings only partially visible). In addition, the center and lower images, sim- 
plified and color-coded, depict limited machine perception and interpretation of 
individual measuring principles. The center image superimposes human- and 
machine perception. Using all these above-named measurements it is revealed 
in this scenario that the left-hand radar reflection point (blue) is a false detection, 
caused by a reflection in the opposite lane. The challenge of exclusively limited 
machine perception and interpretation is demonstrated by the lower image. 

Difficult lighting- and weather conditions challenge human and machine per- 
ception in real traffic situations. Furthermore, machine interpretation of complex 
traffic situations continues to present development engineers with considerable 
technical challenges. These include detecting static and dynamic objects, physi- 
cally measuring them as accurately as possible, and allocating the correct semantic 
meaning to the detected objects. 
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Fig. 3.2 Example of fatal pedestrian accident in Saxony. Challenge of human and machine 
perception with image recognition and Artificial Intelligence of a pedestrian. Left side: Pede- 
strian is visible in the light beam and closer than the oncoming vehicle. Right side: Pedestrian 
is invisible out of the light beam for human perception when distance is greater than oncoming 
vehicle lights (upper images: driving scene with human perception, center images: overlay 
human with machine perception Radar in blue with Lidar in yellow, camera-image processing 
in green and red, lower images: driving scene with machine perception and interpretation using 
image recognition and Artificial Intelligence) 


To analyze scenarios considering reduced visibility due to fog, rain, snow, 
darkness and glare from sun or headlights, a first of its kind area-wide accident 
study with support from Daimler Research, the Daimler and Benz Foundation and 
the Fraunhofer IVI for Transportation and Infrastructure Systems in Dresden was 
carried out. This area-wide accident data analysis is able to indicate temporally 
and geographically related accident black spots. 


3.3.2 Relevant Real-World Scenarios for Development 
and Testing 


Figure 3.3 shows that the current possibilities of such area-wide traffic scenario 
investigation for developmental requirements offer further insights, for example 
also with regard to nearly-missing accidents. 
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Fig.3.3 Accident investigations offer further insights, for nearly missing accidents (see also 
Fig. 3.5). (Source: Winkle T.) 


Area 1, shown as a globe on the left in Figure 3.3, stands for day-to-day safe 
traffic scenarios that do not lead to collisions. Most of these scenarios are not 
known to us. 

The small grey area 2 contains the traffic scenarios that have been investigated 
in-depth, but only partially researched today. Among them are findings from field 
studies and investigations of traffic accident research, which usually analyze the 
“worst case”. German accident statistics in 2020 show that a fatal traffic accident 
occurred only every 270 billion kilometers driven. (see Annex Fig. A.13). Restric- 
ted accident recording criteria, for example those of OEMs or GIDAS, often limit 
the number of accidents to either certain locations, times, special collision conditi- 
ons such as airbag deployment, involvement of injured persons, special pedestrian 
accidents, vehicle types or other general conditions, and must therefore first be 
weighted for statistical relevance. 

Area 3 contains all previously unknown and unresearched traffic scenarios. 

The hatched red overlap as area 4 between areas 2 and 3 represents traffic 
accidents with fatalities or injuries that are only investigated to some extent or 
are accessible, for example, via accident type catalogues. 
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The aim up to sign-off and SOP in the right-hand grey area 2 illustration is 
to extend selectively investigated traffic situations to cover area-wide all traffic 
accidents, including the smallest accidents (micro-accidents) with minor touching 
and traffic violations without damage. This allows conclusions to be drawn about 
nearly-missing accidents. Also included are accidents only resulting in injuries 
and only material damage, which account for a significant proportion. In 2020, 
327,550 people were injured in road traffic and at the same time less than 2 mil- 
lion traffic accidents with material damage were documented (see Annex Fig. 
A.14 and A.15). All these scenarios are all described electronically in police 
databases with the exact location. 

As a result, this increases area 2 on the right-hand, while at the same time 
reducing all limited or unresearched scenarios, as illustrated by the now smaller 
areas 3 and 4. 

In this research, area 2.x is representative for the federal state of Saxony and is 
recommended as a further piece of the puzzle for the extension of the selectively 
researched restricted visibility scenarios in area 2. The analysis of poor visibility 
real-world test scenarios is also generally mentioned in the ISO standard 21448 
published in 2019 (ISO/PAS 21448, 2019). According to the standard, each sce- 
nario starts with a starting scene. Within these, actions, events, goals and values 
can be defined in order to describe the chronological sequence within a scenario. 
In comparison to a scene, a scenario extends over a certain period of time. The 
official statistics collect more than 100,000 accidents in Saxony annually. This 
analysis is based on all 1,286,109 police-recorded accidents over ten years star- 
ting from the year 2004. Figure 3.4 shows the number of these accidents from 
2004 to 2015 and their consequences with regard to personal injury or property 
damage. 
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Fig. 3.4 Area-wide analysis based on 1.286.109 police accidents recorded in Saxony from 
2004-2014 
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The analysis of area-wide traffic accidents with difficult weather conditions 
and reduced visibility for human and machine perception produces the results 
below. Through the analysis of all 1.286.109 police reports from the years 2004 
to 2014 in Saxony, 374 accidents with the above-mentioned criteria were found. 

Fig. 3.5 presents all geographically assigned accident sites with relevant sce- 
narios due to limited visibility. The accident severity ranges from the slightest 
damage, such as a scratch (similar to a near-miss), to the dramatic fatal pedestrian 
accident mentioned above. 

The knowledge of all area-wide collisions over the complete range of unusual 
collisions, from micro accidents to the most serious crash, with knowledge of 
the exact geographical location of the accident, forms the basis for the in-depth 
accident analysis concerning virtual, trial and field tests of automated vehicles. 
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Fig.3.5 Area-wide geographically related traffic accidents with difficult weather conditions 
and reduced visibility for human and machine perception. (Geographical data © state-owned 
enterprise geo basic information and measurement Saxony 2015) 


For a deeper insight into the subject, the author conducted a case-by-case ana- 
lysis of all information given in the police accident reports with the following 
findings: 
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3.3.2.1 Categories of Accident Causes With Reduced Visibility 

A total of 374 area-wide traffic accidents with 417 accident causes can be sub- 
divided into seven main categories of difficult weather conditions (see Fig. 3.6). 
They include 237 collisions (by far the largest part) due to reduced visibility by 
fog. In addition, there were 61 cases with glare or blinding from the sun, 60 cases 
due to rain, 22 cases due to snow and eight cases due to blinding of headlights 
forced by oncoming traffic. Only four cases were primarily connected to visual 
obstructions. 
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Fig.3.6 Distribution of 374 accidents with fog, glare, rain and snow in Saxony 


Number of all area wide accidents 


p (3.1) 


~ Number of accidents connected to associated visual obstruction 
The four accidents provoked by visual obstructions through parking vehicles 
(pedestrian accident), a garbage can and snow piles are described as follows: 


... In height of position ... Mrs. ... crossed the lane on foot. Thereby she 
walked from between parking cars right after a passenger car into the driving 
lane... Because of the rain, she was holding an umbrella in front of her ... 

... Due to poor visibility (snow piles) and traffic caused, driver 01 had to move 
further on in ... street ... 

... Driver 01’s view of the access road was restricted by a garbage can ... 
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... According to statements by driver Ol, the view was restricted by snow piles 
with regard to 02 ... 


3.3.2.2 Injuries Caused by Accidents With Reduced Visibility 

In the 374 relevant accidents, 760 people were involved. The majority of these 
collisions resulted only in property damage. In total, 609 people remained uninju- 
red. 99 people were slightly injured, 51 were badly injured and one person killed 
(Fig. 3.7). 


Injuries n = 374 accidents with 760 participants 
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Fig.3.7 Injuries from 374 accidents with difficult weather conditions and 749 participants 


3.3.2.3 Accident Types in Connection With Reduced Visibility 
Furthermore, the conflict situations were categorized in accident types. In the 
context of the cause of the accident that led to the conflict, the accident type 
(UTYP) describes the initial phase before the damage occurs. On the main level 
seven types of accidents can be distinguished, which can be further subdivided 
into a second or third level. The main levels are (Accident Research Department 
of the German Insurance Association 2003): 
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— UTYP Ixx: dynamic accidents (driver lost control over the vehicle, such as 
inappropriate speed, incorrect assessment of road course or road condition) 
— UTYP 2xx: accidents during turning 
UTYP 3xx: turning at/crossing intersections 
UTYP 4xx: pedestrian accidents 
— UTYP 5xx: stationary traffic 
UTYP 6xx: parallel traffic 
UTYP 7xx: other accidents 


As a result, Fig. 3.8 shows that the majority of 71 accidents are related to several 
accident types in longitudinal traffic (UTYP 199). Furthermore 45 right turn col- 
lisions (UTYP 102) occurred. Another 26 collisions were related to bends in the 
roadway (UTYP 139) and 20 to left turn collisions (UTYP 101). 

Further on, 44 wildlife accidents (UTYP 751), 26 collisions with vehicles tur- 
ning left with oncoming traffic (UTYP 211) and 17 other collisions in oncoming 
traffic occurred. 
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The large proportion of dynamic accidents (UTYP 1: 101-199) with 49 percent 
reflects that drivers often lose control over their vehicles under difficult weather 
conditions (Fig. 3.9). 
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Fig.3.9 Distribution of accident types (UTYP 1xx-7xx) with difficult weather conditions 


3.3.2.4 Evasive Maneuvers to Avoid Accidents 
In connection with automated driving systems, evasive driving maneuvers are 
often discussed from an ethical point of view. 

Therefore, this case-by-case real-world analysis provides insights: 

The descriptions in this case-by-case analysis point out five collisions, where 
the drivers were able to reduce the consequences of an accident by evasive 
maneuvers. Another 13 drivers (4%) tried to prevent the collision but failed with 
their evasive maneuvers. A major proportion of 356 accidents (95%) confirms no 
indications of evasive actions (see Fig. 3.10). 
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Fig.3.10 Main areas of accident types with difficult weather conditions 


Out of all 374 accidents, some evasive maneuvers are clearly not relevant to 
avoid collisions in the following cases: 127 accidents caused by lane departure and 
accidents with moving objects (e.g. 43 animals caused collisions) are difficult to 
avoid, because it is unknown if the animal will continue running, stop or reverse. 
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n(relevant evasive maneuvers to avoid collisions) = 


n(gesamt) — n(lanedeparture) — n(movingobjects) = 347 — 127 — 43 = 177 
(3.2) 


3.3.2.5 Examples for Minor and No Damage to Property 

Two cases of the data set describe only minor damage to the involved vehicles 
and no injuries. The translated parts of the police accident reports below show 
two cases with no damage and one with slight scratches: 

... Ol parked his car backwards in a parking slot. Because of his limited view, 
darkness and rain, he slightly touched the parked car at the back ... He could not 
find any damage on either vehicle ... 

... Driver 02 rule-consistently stopped at the parking lot ... to let passengers 
get off the car. 01 rear-ended 02. The reason for this was snow on the roof which 
slips on the windshield when braking. Snow blocked the view and 01 reacted too 
late ... There were no obvious damages to determine at car 01. Slight scratches 
were visible on passenger car 02 ... 


3.3.3 Integration of Relevant Test Scenarios for Safe 
Automated Vehicles 


For a complete overall evaluation of highly and fully automated vehicles’ functio- 
nal safety, area-wide real-world accident scenarios with no harm to people, near 
collisions, traffic simulations and weather data as well as analysis provide the best 
basis. Knowing all relevant factors that may lead to a collision, virtual simulati- 
ons can be performed based on detailed and quantitative models. Therefore, this 
first-time comprehensive area-wide study based on all police reports was carried 
out (Winkle T, 2015a). 

The findings can be completed with information from hospitals, insurance 
companies and models of human behavior. Especially takeover situations bet- 
ween driver and machine involve new challenges for design and validation 
of human-machine interaction. Initial tests at the Chair of Ergonomics at the 
Technical University of Munich (TUM) demonstrate relevant ergonomic design 
requirements which will be continued (Bengler K, 2015). 
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3.3.4 Test Scenarios and Requirements in Relation to Legal 
and Ethical Aspects 


The analyzed test scenarios and requirements also provide information about 
“allowed” risks and risks accepted by society. Using vehicles with automated 
functions, unforeseeable reactions have to be expected, which in the worst cases 
may even cause injuries and fatalities. Due to the growing complexity, highly or 
fully automated vehicles currently involve risks which are difficult to assess. In 
addition, there are new liability questions and limited tolerance for technical fai- 
lure. While over 1.2 million traffic fatalities currently seem to be acceptable to 
society all over the world, there is likely to be zero tolerance for any fatal accident 
involving presumable technical failures. 

On the other hand, automated driving systems promise considerable potential 
safety benefits. 

So far, many questions remain unanswered such as: 


— What confidence is required for particular traffic scenarios? 
— How can duty of care be fulfilled? 
— What changes legally when a machine detects and drives instead of a driver? 


Test scenarios and design requirements will support a safe development and sup- 
port fulfillment for duty of care. However, in general, creation of risks results in 
duty of care requirements but not every generation of hazards is forbidden. This 
occurs if automated functions cause significant social benefits. Risks have to be 
reduced to a minimal level. Which risks the user reasonably will expect has to be 
negotiated by society. Levels of acceptable risks will be discussed by the media, 
society, during development of standards and at court. The question which risks a 
society is willing to accept should be differentiated from the question how critical 
traffic scenarios have to be assessed during development. It should be assumed 
that the developers and programmers are not liable to prosecution for negligence 
if they act within the permitted risk. In the foreseeable future the driver remains 
liable. 

Dilemma situations will occur until the machine perception or prediction can 
reliably distinguish for example between old man and young lady or if cyclists 
wear a helmet. The aim is to reduce risks. Shifting of risks is forbidden (Di Fabio 
U et. al., 2017). 
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3.4 Conclusion and Outlook 


Perceiving and interpreting complex traffic situations with difficult weather con- 
ditions, development engineers are faced with considerable technical challenges. 
Therefore, the provided scenarios include representative situations for the trans- 
fer to worldwide similar road networks. They will be considered in development 
standards, both for early simulations as well as for the subsequent real test. 

The considered 1,286,109 police-recorded accidents in the exemplary state 
Saxony over ten years starting from the year 2004 are reduced to 374 real-world 
scenarios for bad weather condition. A distribution of accident types under these 
circumstances shows 49 percent of collisions where the driver lost control of his 
or her vehicle. The cause is presumed to be the reduced friction values on slippery 
road surfaces. In particular left turn, right turn maneuvers or bends in roadways 
occur more frequently and have to be considered for testing (see Fig. 3.8). 

Finally, the case-by-case analysis points out only five collisions, where the dri- 
vers tried to reduce the consequences of an accident by evasive maneuvers. Only 
177 cases are relevant due to the general conditions to be considered for eva- 
sive maneuvers to prevent or mitigate collisions. These accidents could possibly 
be prevented by future automation systems. Additional measurements and traffic 
simulations of the well-known accident locations — which were not examined in 
this analysis — will support for a deeper understanding. 

In summary, the following issues will have an impact for testing: 


— Starting from the level highly automated and beyond, accident participants 
— at least temporarily — have no responsibility for the controllability of the 
vehicle. The consideration of relevant scenarios for risk reduction and ensu- 
ring the functional safety of electrical and/or electronic systems is therefore of 
significant importance. 

— Area-wide accident analyses covering all reported accidents provide relevant 
scenarios for testing and verification of automated vehicles including virtual 
simulation methods. 

— To obtain further findings for the development and design of safe automated 
vehicles, existing in-depth surveys of severe road accidents involving personal 
injury (e.g. GIDAS) should be combined with available area-wide accident 
collision data, digital geographic mappings, weather data and virtual traffic 
simulations. 

— Furthermore, beyond accidents also critical incidents with successful evasive 
behavior have to be analyzed based on road, traffic conditions and NDS data. 
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It is recommended to comprehensively link geographically defined road-accident 
data and the accompanying high-definition geographic digital mapping data (e.g. 
Google Maps, Nokia HERE, TomTom, OpenStreetMap) with traffic-flow data 
from different sources (e.g. cars, mobile phones, road traffic devices). In the 
future, vehicle operation data and traffic simulations could be included as well. 

Based on these relevant real-world scenarios the author recommends further 
development of internationally valid guidelines — such as the ADAS Code of 
Practice definition, ISO 26262 functional safety or ISO PAS 21448 to support 
safety of the intended functionality (SOTIF) — with virtual simulation methods for 
verification of automated vehicles and final testing of the overall system limits in 
a real environment. Error processes and stochastic models have to be analyzed (in 
combination with virtual tests in laboratories and driving simulators) to control 
critical driving situations. This includes interaction tests with control algorithms 
and performance verification of real sensors in real traffic situations, particularly 
at the time just before a collision (Schöner H-P, Hurich W, Luther J, Herrtwich R 
G, 2011; Schöner H-P 2015). 

In general, it is recommended to identify worldwide networks, collaborate with 
affected partners, engage government representatives, local non-governmental 
organizations (NGOs) and promote road safety awareness (Feese J, 2016). Many 
governments and authorities encourage the deployment of new technologies with 
the potential to save lives. They work with industry, governmental partners, and 
other stakeholders to develop new technologies and accelerate their adoption in 
type approval regulations and standards. 
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Technical, Legal, and Economic Risks 4 


The contents of this chapter were already prepublished within the Springer book: 
Autonomous driving, technical, legal and social aspects (Winkle, Development 
and Approval of Automated Vehicles: Considerations of Technical, Legal and 
Economic Risks, 2016b). 


4.1 Introduction Development 


In the following chapter the author traces the technical improvements in vehicle 
safety over recent decades, including new sensor technologies with image reco- 
gnition and Artificial Intelligence, factoring in growing consumer expectations. 
Through Federal Court of Justice rulings on product liability and economic risks, 
he depicts requirements that car manufacturers must meet. For proceedings from 
the first idea until development to sign-off, he recommends interdisciplinary, har- 
monized safety and testing procedures. He argues for further development of 
current internationally agreed-upon standards including tools, methodological des- 
criptions, simulations, and guiding principles with checklists. These will represent 
and document the practiced state of science and technology, which has to be 
implemented technically suited and economically reasonable. 


4.2 Motivation 


In the course of new innovations, technical, especially electrical/electronic sys- 
tems with Artificial Intelligence and sophisticated software are becoming far more 
complex in the future. Therefore, safety will be one of the key issues in future 
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automobile development resulting in a number of major new challenges, especi- 
ally for car manufacturers and their developers. In particular, changing vehicle 
guidance from being completely human-driven, as it has always been, to being 
highly or fully automated, raises fundamental questions regarding responsibility 
and liability. This calls for new approaches: first and foremost new safety and tes- 
ting concepts (Bengler, Dietmayer, Färber, Maurer, Stiller & Winner, 2014). From 
the legal point of view, automated vehicles require protective safety measures in 
the development process (Gasser, et. al. 2012). The remaining risk must be accep- 
ted by users. According to a judgment by the German Federal Court of Justice 
(Bundesgerichtshof, or BGH), such vehicle systems must be designed (within the 
limits of what is technically possible and economically reasonable) according to 
the respective current state of the art, state of science, and must enter the market 
in a suitably sufficient form to prevent damage (Bundesgerichtshof 2009). 

Nationwide, it can be seen that product liability claims against large companies 
continue to rise (see Sec. 4.7.1). Consumer expectations regarding safety rise (see 
Sec. 4.5) while a general decline in self-responsibility is also becoming apparent 
in Europe and the eastern world. The social acceptance of destinies decreases 
with consumer attitudes: “Someone has to be responsible for that and pay me for 
my damage.” 

In addition, increased willingness to sue is being caused by increased social 
cuts and the threat of further economic crises. Payments for compensation of 
severe injury cases continue to escalate due to increasingly expensive court deci- 
sions and a more litigious social environment. In particular, lack of or inadequate 
social security systems force victims to seek financial compensation for damages 
in court. This puts insurance companies under pressure and leads to an incre- 
ase of compensation claims against companies. A “socialization of damages” by 
large companies occurs. Regional differences are increasingly disappearing. The 
author’s personal experience with regard to product liability cases shows that con- 
sumer protection in countries such as China, India and Russia are now at least on 
a western level. Media diversity, in particular various types of consumer informa- 
tion from the Internet, generates a high level of consumer awareness worldwide. 
Class actions are now also possible in Europe, for example by means of interest 
groups via the Internet. The payment of attorneys’ fees via success-related results 
also reduces the risk of legal action by consumers. 

The worldwide harmonization of compensation payments settles at a high level 
(see Sec. 4.7.1). Due to the possibilities of an US electronic discovery in the 
event of a claim, companies today are more transparent. Similar processes have 
now been installed in Europe, Australia, Korea, Japan and China. Overall, this 
increases the potential risk for extended lawsuits. 
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4.3 Questions of Increased Automation’s Product Safety 


Media reports on fully automated research vehicles from car manufacturers, sup- 
pliers and IT companies have been predicting for years the series production and 
market launch of self-driving vehicles. Several things still need to be in place 
however, before these vehicles can be launched on the market. Increasing auto- 
mation of vehicle guidance calls for cutting-edge, highly complex technology. 
Particularly with the use of electric/electronic hard and software, unforeseeable 
reactions have to be expected, which in worst cases may even be danger to life 
and limb. Due to the growing complexity, fully automating all driving tasks in dri- 
verless vehicles (see Gasser, et. al. 2012) — without a human driver as a backup 
— currently involves risks, which are difficult to assess. In addition, there are new 
liability questions and limited tolerance for technical failure. 

Assumption: while about 3,000 deaths in road traffic currently seem to be 
acceptable to society in Germany, there is likely to be zero tolerance for any 
fatal accident involving presumable technical failure. Although automation in dri- 
ving — for example at lower speeds — promises considerable safety benefits, the 
comprehensive commercialization of driverless vehicles can only take place once 
the questions of who is liable and responsible for damage caused by technologi- 
cal systems have been clarified. Acceptance by society may only be achieved if, 
among other things, the benefits perceived by the individual clearly exceed the 
risks experienced. 

To date, the following questions, amongst others, remain unsolved: 


— How safe is safe enough to bring the new system in the market? 

— How is the duty of care assured during development? 

— Which requirements need to be taken into consideration when developing and 
marketing safe automated vehicles? 

— Under what conditions is an automated vehicle considered defective? 


Further questions also arise beginning from level 3 systems and above to improve 
product safety: 


— Which precautions can the developer take to avoid critical traffic situations, 
while the driver was allowed to deal with secondary or tertiary driving tasks 
according to the function offered? Which precautions can be taken for possible 
malfunctions? 

— Which precautions can be taken to prevent the driver from activating the sys- 
tem if it is not appropriate? Under what conditions should a tertiary driving 
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task or non-driving activity be prohibited? (for example: “Tesla judgement” 
decision of 27.03.2020 — Reference: 1 Rb 36 Ss 832/19) 

— Which possibilities are available to get the driver back into the driving task 
or to bring the vehicle into a safe state if the driver does not respond to the 
warning of the system within the specified time period? 

— Which measures must be taken if the automated function expects a take over 
from the driver during a time period which is less than the specified time 
period? (see Gold C, et. al. 2013; Zeeb K, et. al. 2015). 

— Can it be assumed that the system can handle a critical driving situation just 
as collision-free as the driver could have done? 

— Is it foreseeable that the system will not react as correctly as a driver would 
have done and the severity of a collision will increase as a result? 

— Were maneuvers of other road users considered that could indirectly cause a 
collision? 

— Is it possible that the vehicle breaks the traffic rules while the driver was not 
responsible for monitoring the driving task? 


4.4 Continued Technical Development of Assistance 
Systems - New Opportunities and Risks 


From a technical point of view, automated vehicles are presently already able 
to autonomously take over all driving tasks in some defined areas and traffic 
situations. Current series production vehicles with an optimized sensor, computer, 
and chassis technologies enable assistance systems to increase their performance. 
Some of the driver-assistance systems on the market today give warning when 
they recognize dangers in parallel or cross traffic (Lane Departure Warning, 
Collision-, Lane Change-, Night Vision- and Intersection-Assistance). Others 
intervene in the longitudinal and lateral dynamics (e.g. anti-lock braking ABS, 
Electronic Stability Control ESC, Adaptive Cruise Control ACC). Active par- 
king/steering assistance systems provide increased convenience by interventions 
of steering and braking at low speeds. These partially automated vehicle systems, 
with temporary longitudinal and lateral assistance, are currently offered for series- 
production vehicles, but exclusively on the basis of an attentive driver being able 
to control the vehicle. Supervision by a human driver is required. During nor- 
mal operation at and beyond the system limits, the system limits or failures of 
these Advanced Driver Assistance Systems, or ADAS, are thus compensated by 
the proof of controllability due to the driver (see Knapp, Neumann, Brockmann, 
Walz & Winkle 2009; Donner, Winkle, Walz & Schwarz, 2007). 
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For fully automated driving systems on the other hand, the driver is no lon- 
ger available as a backup for the technical limits and failures. This replacing 
of humans, acting by their own responsibility, with programmed machines goes 
along with technical and legal risks, as well as challenges for product safety. 
However, future expectations regarding driverless vehicles — even in a situation 
of possible radical change — can only be described as using previous experience. 
Analogies based on past and present expectations concerning vehicle safety will 
therefore be examined in the following section. 


4.5 Expectations Regarding Safety of Complex Vehicle 
Technology 


4.5.1 Steadily Rising Consumer Expectations for Vehicle Safety 


Fully automated driving vehicles must be measured against today’s globally high 
level of consumer awareness in vehicles’ technical failures. Since 1965, critical 
awareness regarding the car industry has evolved more and more, strengthened 
by the book Unsafe at Any Speed: The Designed-In Dangers of the American 
Automobile (Nader, 1965 & 1972). In this publication, the author Ralph Nader 
blamed car makers for cost savings and duty of care breaches at the expense of 
safe construction and production. With its presentation of safety and construc- 
tion deficiencies at General Motors and other manufacturers, the book’s content 
scared the public. Nader went on to found the Center for Study of Responsive 
Law, which launched campaigns against the “Big Three” auto makers, Volkswa- 
gen and other car companies. Technical concepts were subsequently reworked and 
optimized. At the center of Nader’s criticism was the Chevrolet Corvair. Amongst 
other things, Nader criticized the unsafe vehicle dynamics resulting from the rear- 
mounted engine and swing axle. Under compression or extension, it changed the 
camber (inclination from the vertical axis). By a design modification into an elas- 
tokinematic twist-beam or a multilink rear suspension, the inclination remains 
largely unchanged, which results in more stable driveability and handling. Later, 
the VW Beetle also came under fire for similar reasons due to its sensitivity to 
crosswinds. It was also designed with a rear-mounted engine and a swing axle. 
As a technical improvement VW therefore replaced the Beetle with the Golf, with 
a front engine and more stable handling (market introduction 1974). 

Besides the development of new vehicles that were of better design and drove 
more safely, a further consequence of this criticism was the establishment of the 
US National Highway Traffic Safety Administration (NHTSA), located within 
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the Department of Transportation. Based on the Highway Safety Act of 1970 
it improves road traffic safety. It sees its task as protecting human life, pre- 
venting injury, and reducing accidents. Furthermore, it provides consumers with 
vehicle-specific safety information that had previously been inaccessible to the 
public. Moreover, the NHTSA has accompanied numerous investigations of auto- 
mobile safety systems to this day. Amongst other things, it has actively promoted 
the compulsory introduction of Electronic Stability Control (ESC). Parallel to 
NHTSA activities, statistics from the Federal Motor Transport Authority in Ger- 
many (Kraftfahrt-Bundesamt, or KBA) also show increasingly sensitive ways 
in handling safety-related defects, by supporting and enforcing product recalls 
(Kraftfahrtbundesamt Jahresberichte, 2014). Furthermore, there are now extre- 
mely high expectations for vehicle safety. This also can be seen in the extensive 
safety equipment expected today in almost every series production vehicle across 
the globe. This includes anti-lock braking (ABS), airbags, and Electronic Stability 
Control (ESC). The frequency of product recalls has increased, despite passenger 
vehicles’ general reliability and functional safety noticeably rising at the same 
time. Endurance tests in trade magazines such as Auto Motor und Sport show that 
a distance of 100,000 km can be obtained more often without any breakdowns, 
unscheduled time in the garage, or defective parts, and no defects at all. 


4.5.2 Current Safety Expectations of Potential Users 


Above all the acceptance of automated vehicles depends upon whether the 
consumers perceive the technologies as safe and reliable. 

Consumers are still skeptical about data protection, protection against cyber- 
crime and functional safety with increasing automation. A study on automated 
driving from the TUV Rheinland 2018 states: In general, consumers in China, the 
USA and Germany have a positive attitude towards autonomous driving techno- 
logy. However, the more driving functions are automated, the lower the feeling of 
safety. Chinese consumers are little less skeptical. 

This was one of the main findings and results received from the study that 
drivers in Germany, the USA and China are convinced that road safety decrea- 
ses with increasing automation of cars (Schierge Frank, 2017). According to the 
author, however, an intelligent controllable automation can increase security. 

In the study mentioned above, TUV Rheinland surveyed 1,000 private indivi- 
duals aged 18 and over with a car driving license in each of the major markets of 
Germany, the USA and China using an online questionnaire. The study covered 
a period of 3 months (August to October 2017). The results confirmed the trend 
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of a representative survey conducted by TÜV in spring 2017 on the acceptance 
of autonomous driving technology in Germany: Three out of four were there- 
fore positive about higher levels of autonomous driving, but there were still many 
reservations about the technical implementation. According to the current inter- 
national study, 78 percent of all respondents want to be able to take the steering 
wheel themselves at any time in an emergency. More than every second German 
interviewed (53 percent) would only buy an autonomous vehicle if they were 
always able to drive it themselves. 

Furthermore, the fear of personal data falling into unauthorized hands is 
widespread: 30 percent of respondents in Germany “fully agreed” with this state- 
ment, 28 percent in the USA and 13 percent in China. The lack of customer 
confidence in cyber security extends so deeply that the majority (Germany 66 per- 
cent, USA 61 percent, China 60 percent) would even change the brand of the 
vehicle after a hacker attack. 

In summary, the study showed that there is a need for improvement in the area 
of safety in the perception of the surveyed persons. To increase the acceptance 
of autonomous driving technology, consumers in Germany, China and the USA 
are requesting politics and industry to increase the level of knowledge, to ensure 
personal intervention in the car, to make data protection and co-determination in 
data use more transparent and to put in place effective measures to protect against 
cybercrime (see also Annex Fig. A.6). 


4.5.3 Considerations of Risks and Benefits 


Automated vehicles will arguably only gain acceptance within society when the 
perceived benefit (depending on the degree of efficiency: “driver” versus “robot”) 
outweighs the expected risks (depending on the degree of automation: “area of 
action” versus “area of effectiveness”). In order to minimize the risks, manufac- 
turers carry out accident data analysis and corresponding risk management (see 
Fig. 4.1). 


— may occur contextually, while consumers weight up the perceived beneficial 
options and fear for risks in the relevant contexts (see Grunwald, 2013, Fra- 
edrich, 2016). Risks depend on the level of automation, benefits of the degree 
in efficiency. Risk management and accident data analysis (see Ch. 2, 4) allow 
for objectivities and optimization. 
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Fig.4.1 Societal and individual user acceptance 


For car manufacturers and their suppliers, automated vehicles are an interesting 
product innovation with new marketing possibilities. Investment decisions and 
market launches however involve risks that are difficult to assess: 


— Which risks exist for product liability claims when autonomous vehicles do 
not meet the requirements of a safe product? 

— Which failures may lead to product recalls? 

— Will the brand image be sustainably damaged, if the automated vehicle does 
not comply with consumer expectations? 


4.6 Legal Requirements and Effects 


Society’s and individual expectations of technical perfection in vehicles are rising. 
Higher demands in vehicle quality and functions also call for corresponding safety 
measures when rolling out autonomous vehicles. This for example can be seen 
in the increase of recall campaigns despite increasing technical vehicle reliabi- 
lity or additional requirements and standards, applicable comprehensive safety 
campaigns, such as the Motor Vehicle Safety Defects and Recall Campaigns or 
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new obligations for documentation by public authorities. One example of the lat- 
ter is the Transportation Recall Enhancement, Accountability and Documentation 
(TREAD) Act in the USA (United States of America, 2000), which introduced 
a series of new and extensive obligations for documentation and report-keeping 
for the National Highway Traffic Safety Administration (NHTSA). At the same 
time, human errors in road traffic are sanctioned individually, without bringing 
the whole road transport system itself into question. 

Highly complex technologies and varying definitions slow down any launch of 
autonomous vehicles. In addition, the interdisciplinary context contains various 
technical guidelines. Developers used to be able to get their specifications with 
standards, respectively guidelines such as “generally accepted good engineering 
practice”, “generally recognized and legally binding codes of practice”, “industry 
standards”, or the “state of the art.” With its decision of 06/16/2009, the Ger- 
man Federal Supreme Court of Justice (BGH) wanted to ramp up requirements 
for the automotive industry and surprisingly shaped the term “latest state of the 
art and science”. This creates additional challenges for developers. Functions that 
are currently feasible in research vehicles for scientific purposes are under labora- 
tory conditions far from fulfilling expectations for series production vehicles, e.g. 
protection from cold, heat, vibrations, water, or dirt. 

From a developer’s point of view, the fulfillment of legal requirements for a 
careful development of new complex systems can only be proven by validation 
tests. These should ideally be internationally harmonized and standardized. The 
German BGH judgment from 2009 explained these development requirements 
— excluding economic and technical suitability for production — with “... all pos- 
sible design precautions for safety ...” based on “state of the art and science” 
(Bundesgerichtshof, 2009) on the basis of an expert opinion for the preservation 
of evidence. This opinion, however, requires ultrasound sensors as redundancy 
for recognition of critical objects to trigger airbags. It should be possible, “ 
attach ultrasound sensors around the vehicle which sense contact with an object 


.. to 


and are in addition verified by existing sensors before airbag deployment ...” 
(Bundesgerichtshof BGH, 2009). 

This expert opinion for the preservation of evidence however from an enginee- 
ring point of view is more than questionable, as current sensor designs only permit 
a range of a few meters in series production vehicles. Subject to the current state 
of the art, the application of ultrasonic sensor systems is limited to detect static 
surroundings at slow speeds in the scope of parking assistance. The sensors’ high- 
frequency sound waves can be disturbed by other high frequency acoustic sources 
such as jackhammers or trucks and buses’ pneumatic brakes, which can lead to 
false detections. Also, poorly reflecting surfaces will not lead to a reflection of 


76 4 Technical, Legal, and Economic Risks 


sound waves. Object recognition is then entirely excluded (Geiger A, et. al. 2012; 
Noll & Rapps, 2012). Furthermore, the lawsuit finally turned out that the sensor 
system concerned worked error-free according to the technical specification. 

In addition, the previous fundamental BGH judgment requires that risks and 
benefits be assessed before market launch: 


“Safety measures are required which are feasible to design according to the state 
of the art and science at the time of placing the product on the market ... and in a 
suitable and sufficient form to prevent damage. If certain risks associated with the use 
of the product cannot be avoided according to state of the art and science, then it must 
be verified—under weighing up the risks, the probability of realization, along with 
the product benefits connected—whether the dangerous product can be placed on the 
market at all.” (Bundesgerichtshof 2009) 


4.6.1 Generally Accepted Rules of Technology 


An interpretation of the term “generally accepted rules of technology” (allgemein 
anerkannte Regeln der Technik, or aaRdT) as a basic rule was shaped in a German 
Imperial Court of Justice (Reichsgericht) judgment from 1910 based on a decision 
from 1891 during criminal proceedings concerning Section 330 of the German 
Penal Code (§ 330 StGB) in the context of building law: 


“Generally accepted rules of technology are addressed as those, resulting from the 
sum of all experience in the technical field, which have proven in use, and wherever 
correctness experts in the field are convinced.” 


In various legal areas, they have different meanings. In terms of product liability, 
generally accepted rules of technology represent minimum requirements. Non- 
compliance to the rules would indicate the required safety has not been reached. 
They are described in DIN-VDE regulations, DIN standards, accident prevention 
regulations, and VDI guidelines, amongst others (Krey & Kapoor 2012). 


4.6.2 The Product Safety Law (ProdSG) 


The German Product Safety Law (Produktsicherheitsgesetz, or ProdSG), in its 
revised version of 11/08/2011 establishes rules on safety requirements and consu- 
mer products. Its predecessor was the Equipment and Product Safety Law (Geräte- 
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und Produktsicherheitsgesetz, or GPSG) of 01.05.2004, which in turn had repla- 
ced the Product Safety Law (Produktsicherheitsgesetz, or ProdSG) of 22.04.1997 
and the Equipment Safety Law (Gerätesicherheitsgesetz, GSG) of 24.06.1968. 
Section 3 GSG describes the general requirements for providing products on the 
market: 

“A product may ... only be placed on the market if its intended or foreseeable 
use does not endanger the health and safety of persons.” (Burg & Moser, 2017) 


4.6.3 The Product Liability Law (ProdHaftG) 


Independent of its legal basis for a claim, the term “product liability” commonly 
refers to a manufacturer’s legal liability for damages arising from a defective 
product. A manufacturer is whoever has produced a final product, a component 
product, a raw material, or has attached its name or brand name to a product. 
For product liability in Germany, there are two separate foundations for claims. 
The first basis is fault-based liability, as found in Section 823 of the German 
Civil Code (BGB) (Köhler, 2012); the second is strict liability regardless of negli- 
gence or fault related to the tortfeasor, as contained in the Product Liability Law. 
Section | of the Product Liability Law (ProdHaftG Law Concerning Liability for 
Defective Products) of 12/15/1989 describes the consequences of a fault as: 


“Tf a person is killed or his or her body or health injured, or if property is damaged, due 
to a defect of a product, the manufacturer of the product is thus obliged to compensate 
the injured parties for any losses.” (European Commission, 1985) 


Independently of whether the product defect is caused intentionally or through 
negligence, a defect is defined in Section 3 of ProdHaftG as follows: 


“A product is defective when it is lacking safety which the public at large is entitled 
to expect, taking into account the presentation of the product, the reasonably expected 
use of the product and the time when the product was put into circulation.” (European 
Commission 85/374/EWG, 1985) 


Should damage arise from a defective product, the Product Liability Law regula- 
tes the liability of the manufacturer. Firstly, this entails potential claims of civil 
liability for property damage, financial losses, personal injury, or compensation 
for pain and suffering. Liability rests primarily with the manufacturer. In justi- 
fied cases suppliers, importers, distributors, and vendors may also be made liable 
without limitation. Furthermore, in cases of legally founded criminal liability, 
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there may also be particular consequences for top management or individual 
employees, if it is proven that risks were not minimized to an acceptable level 
(see Fig. 4.2). In cases of serious fault or depending on the offense as negligence, 
this may involve criminal personal proceedings against a developer. 

Besides the potential legal consequences, manufacturers must also expect con- 
siderable negative economic effects. Negative headlines in the media can lead 
to substantial loss in profits or revenue, damage to image, loss in trust and 
consequently loss of market share. Therefore, when developing new systems, 
both consequences of potentially legal and economic risks must be considered. 
Figure 4.2 gives an overview of the potential effects of failures in automated 
vehicles. 
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Fig.4.2 Potential consequences of failures in automated vehicles 
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4.6.4 Ethics, Court Judgments to Operational Risk 
and Avoidability 


Furthermore, the ongoing developments in automated driving require politics, 
society and the legal system to reflect on additional emerging changes. 

One aspect is the decision whether the approval of automated driving systems 
is ethically justifiable or even necessary. At a fundamental level, it depends on 
how much dependence we want to accept on technical complexes, in the future 
increasingly on systems that may be capable of learning and based on Artificial 
Intelligence with trained Neural Networks for Deep Learning (see LeCun Y et. 
al., 2015; Goodfellow I et. al., 2016; Schmidhuber J, 2015), in order to achieve 
greater safety, mobility and comfort in return. The following questions arise here: 


— Are there any requirements for controllability, transparency and data auto- 
nomy? 

— Which technical requirements are necessary to legally protect the individual 
human being within society, their freedom of development, their physical and 
mental integrity, and their right to social respect? 


In Germany, the Ethics Commission for Automated Driving presented the first 
ethical rules worldwide for autonomous driving technology in June 2017. It states 
that automatic control to prevent accidents is not ethically programmable without 
a doubt. In the case of unavoidable accidents, any qualification according to 
personal characteristics (age, gender, physical or mental constitution) is strictly 
prohibited (Di Fabio U et. al., 2017). 

Legal ethics is an important link between jurisprudence and legal policy on the 
one hand and ethics on the other. From an ethical perspective, it addresses basic 
legal questions as well as questions of legal practice. It is therefore excellently 
suited to identifying and, under certain circumstances, correcting subject-specific 
viewpoints that are ossified (Hilgendorf et. al., 2018). 

The following questions relate to an ethically justifiable development of 
automated vehicles: 


— Will the automated vehicle avoid accidents as good as practically possible? 
— Is the technology designed according to its respective state of the art in such 
a way that critical situations do not arise in the first place? 


(including dilemma situations in which an automated vehicle is faced with the 
decision of having to implement one of two evils that cannot be weighed up) 
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— Has the entire spectrum of technical possibilities been used and continuously 
been further developed? 


(Limitation of the area of operation to controllable traffic environments, vehicle 
sensors and braking performance, signals for endangered persons up to hazard 
prevention by means of an “intelligent” road infrastructure) 


— Is the development objective focused on significantly increasing road safety? 

— Has the defensive and safe driving already been considered in the design and 
programming of the vehicles—especially with regard to Vulnerable Road Users 
VRU)? 


Regarding Vulnerable Road Users in particular pedestrians is another aspect 
which was already mentioned in chapters 2 and 3 as a challenge for developing 
automated functions. 

The German legislator has strengthened the rights of non-motorized road users 
through the law of modification on damages (2nd SchadAndG) in 1998, including 
the substitution of the unavoidable event by force majeure. In concrete terms, the 
law provides for the following major innovations: 


— Strengthening the position of children in road traffic 
— Exclusion of liability of the vehicle keeper only in the case of force majeure 
— No consideration of the (partial) fault of children under 10 years of age 


A change in the German court decisions took place only a few years later. To 
this end, the responsibility for pedestrian accidents has been investigated since 
2004 on the basis of jurisdiction. Investigations of court decisions demonstrate, 
that there has been a significant change since the Federal Court of Justice (BGH) 
ruling of 2014. 

The trend shows that in future the responsibility for damage in pedestrian 
accidents will remain with the owner and, in the case of fully automatic functi- 
ons, probably with the manufacturer. The recommendation is that future case law 
should be observed (See Annex A: Change in jurisdiction on the responsibility 
for pedestrian accidents). 
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4.7 Product Safety Enhancement in Automated Vehicles 
Based on Expert Knowledge from Liability 
and Warranty Claims 


4.7.1 Experience from Product Crises and Traffic Accidents 


In the future safe automated vehicles will further depend on integrated quality 
management systems (International Organization for Standardization ISO 9001, 
2015 & ISO/TS, 2009) and safe interactions (Akamatsu, Green & Bengler, 2013). 
In the past, advanced and successful vehicles were frequently affected by product 
crises. 


4.7.1.1 Defective Supplier Parts and Systems 
The following examples document how supplier parts and systems triggered 
extensive product crises. 

The Ford Explorer was the worldwide best-selling sports utility vehicle. In the 
USA in May 2000, the NHTSA contacted both the Ford and Firestone compa- 
nies due to a conspicuously high rate of tires failing with tread separation. Ford 
Explorers, Mercury Mountaineers, and Mazda Navajos were affected. All were 
factory-fitted with Firestone tires. At high speeds, tire failures led to vehicles 
skidding out of control and rollover crashes with fatal consequences. Firestone 
tires on Ford Explorers were linked to over 200 fatalities in the USA and more 
than 60 in Venezuela. Ford and Firestone paid 7.85 million dollars in court settle- 
ments. Total compensation and penalties in total amounted to 369 million dollars. 
In addition to the expensive recall of several million tires, communication errors 
were also made during the crisis: The managers responsible publicly blamed each 
other. This shattered friendly business relations between the two companies that 
dated back over 100 years. Harvey Firestone had sold Henry Ford tires for the 
production of his first car as long ago as 1895. As the crisis progressed it led to 
serious damage to the companies’ images, with sales collapsing for both parties 
(Hartley R F, 2011). 

General Motors (GM) announced a further example of defective supplier parts 
in February 2014. As a consequence of the financial crisis, the car company had 
been on the brink of bankruptcy in 2009. It returned to profit for the first time, 
and won awards for its new models, after a government bailout. But the ignition 
switches on some models had seemingly been too weakly constructed since 2001, 
which meant the ignition key sometimes jumped back to the “Off” position while 
driving. When this happened, not only did the motor switch off, but the brake 
booster, power steering, and airbags also became deactivated. GM engineers were 
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accused of having ignored the safety defect in spite of early warnings for more 
than ten years. Therefore, the company has already been fined 35 million dollars 
for a delayed recall and now faces billions of dollars of damages claims from 
accident victims and vehicle owners after mass product recalls (National Highway 
Traffic Safety Administration, 2014a). 

Another huge air bag recall campaign by NHTSA involved eleven different 
vehicle manufacturers and more than 30 million vehicles in the United States 
only. Airbag Inflators supplied by Takata ignited with explosive force. In some 
cases, the inflator housing could rupture under high temperature conditions with 
metal shards spraying throughout the passenger cabin and thus injured or killed 
car occupants. Several fatalities and more than 100 injuries were linked to this 
case. The airbags were installed in vehicles from model years 2002 to 2014. 
Despite this injury risk the Department of Transportation estimated that between 
1987 and 2012 frontal airbags have saved 37,000 lives (National Highway Traffic 
Safety Administration, 2014, 2015). 


4.7.1.2 So-Called Unintended Accelerating, Decelerating 
or Steering Vehicles 

Vehicles that automatically intervene in longitudinal and lateral guidance hold 
considerable risks and provide a target for those who assert that vehicles steer, 
accelerate and decelerate unintended, unexpected or uncontrolled. The accusation 
of unintended acceleration due to alleged technical defects has already put some 
car manufacturers in the media’s crossfire. Mainly in the USA, unintended acce- 
lerations of vehicles were reported causing fatal accidents. Affected drivers have 
initiated waves of lawsuits lasting for decades. 

Examples of extensive lawsuits were allegations against Toyota, a globally 
successful company known for excellent quality. Toyota came off very well in 
customer-satisfaction studies by the American market research firm J. D. Power 
and Associates in 2002, 2004, and 2005. In 2009, however, Toyota was confron- 
ted with allegations of unintended and sudden acceleration of its vehicles. These 
were initially triggered by single incidents of sliding floor mats, which had sup- 
posedly been responsible for gas pedals getting jammed. It was then argued that 
vehicles would have accelerated unintentionally while driving due to the mechani- 
cally jammed gas pedals. As Toyota had not responded to the allegations quickly 
enough in the eyes of the NHTSA, the company was accused of covering up 
safety problems linked with more than 50 deaths. As well as compensation pay- 
ments, Toyota had to pay the authority an unusually high fine of 16.4 million 
dollars in 2010. This was followed by extensive product recalls and claims for 
damages (National Highway Traffic Safety Administration, 2014b). 
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A further instance of a proven technical defect that led to unwanted accelera- 
tions can be seen in an NHTSA recall action in June 2014. The software problem 
occurred in some Chrysler Sport Utility Vehicles (SUV). When optional adaptive 
cruise control was activated and the driver temporarily pressed the accelerator 
pedal to increase (override) vehicle’s set speed more than the cruise control system 
would on its own, the vehicle continued to accelerate briefly after the accelerator 
pedal was released again. In this case and according to technical requirements the 
vehicle has to decelerate to the requested set speed. There were no accident vic- 
tims to complain about. The short-notice initiated recall was restricted to a mere 
6,042 vehicles (National Highway Traffic Safety Administration, 2014c). 

Other great challenges already occurred because autonomous braking systems 
decelerated in some individual cases without a visible reason for the driver and put 
vehicles at risk of a rear-end collision. However, automatic braking and collision 
warning systems have great potential in reducing road accidents and saving lives. 
After recognizing a relevant crash object, they can automatically apply the brakes 
faster than humans, slowing the vehicle to reduce damage and injuries. Therefore, 
these systems are recommended to be made standard equipment on all new cars 
and commercial trucks. Since November 2013 EU legislation mandated Auto- 
nomous Emergency Braking Systems (AEBS) in different stages with respect to 
type-approval requirement levels for certain categories of motor vehicles to cover 
almost all new vehicles in the future (Juncker J-C, 2015). 

According to NHTSA the Japanese car manufacturer Honda Motor Company 
had to recall certain model year 2014-2015 Acura vehicles with Emergency Bra- 
king. The reason was that the Collision Mitigation Braking System (CMBS) 
may inappropriately interpret certain roadside infrastructure such as iron fences 
or metal guardrails as obstacles and unexpectedly apply the brakes (National 
Highway Traffic Safety Administration, 2015a). Furthermore, NHTSA investiga- 
ted complaints alleging unexpected braking incidents of the autonomous braking 
system in Jeep Grand Cherokee vehicles with no visible objects on the road 
(National Highway Traffic Safety Administration, 2015b). 

Another recall of Chrysler vehicles from 2015 July 24 was, in accordance with 
NHTSA the first initiating by a software hack. US researchers brought a moving 
Chrysler Jeep under their control from afar, which forced the company to recall 
and ensure cyber-security of their onboard software. The affected vehicles were 
equipped with Uconnect radio entertainment systems from Harman Internatio- 
nal Industries. Software vulnerabilities could allow third-party access to certain 
networked vehicle control systems via internet. Exploitation of the software vul- 
nerability could result in unauthorized manipulation and remote control of certain 
safety related vehicle functions (such as engine, transmission, brakes and steering) 
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resulting in the risk of a crash (National Highway Traffic Safety Administration, 
2015c). 

Moreover, Fiat Chrysler Automobiles acknowledged violations of the Motor 
Vehicle Safety Act in some safety-relevant cases. To remedy its failures, the com- 
pany agreed to repair vehicles with safety defects or purchase defective vehicles 
back from owners and pay a 105-million-dollar civil penalty. Until 2015 this was 
the largest fine ever imposed by NHTSA. 

In addition to the threat of civil penalties, the following fatal traffic accident 
that occurred in Germany represents an important leading case. It transparently 
demonstrates the criminal liability of manufacturers with regard to automated 
driving, in order to limit it in a way that can be controlled under the rule of law 
by means of appropriate preventive measures. (see Fig. 4.3). 

On January 8, 2012, a fast passenger car with an activated lane keeping system 
entered a small town in the district of Aschaffenburg and subsequently crashed 
into a family having a Sunday afternoon walk in the middle of the village. A 
woman and her child were both killed immediately. The driver was supposed to 
have suffered a heart attack at the entrance to the town and lost consciousness as a 
result. A vehicle conventionally steered exclusively by the driver would have come 
off the road at the entrance to the town and probably come to a standstill next to 
the road. However, the Lane Keeping Assist (LKA) kept the vehicle actively on 
the road. The consequence of this traffic accident was a dead mother (35 years), 
a dead boy (7 years), a seriously injured father (44 years) and a fatally injured 
driver (51 years). According to a police officer’s report at the Wiirzburg police 
headquarters, a heart attack (cerebrovascular stroke) was confirmed as the cause of 
this accident. This also indicates that no brake markings were visible. According 
to witnesses, the 51-year-old driver of the passenger car was accelerating in a 
30 kilometers per hour speed limit zone before the collisions occurred and had 
run over the traffic island of a roundabout (see Annex Fig. A.9 and A.10). Due 
to a following collision at the left vehicle front with a house wall, the vehicle 
was deflected and finally reached its final position on the opposite sidewalk (see 
Fig. 4.3). According to witnesses, the car then collided directly with a family 
during their Sunday afternoon walk on the sidewalk (Krämer K, Winkle T, 2019). 
It was reported that the father was only partially hit by the car by jumping to the 
side and only suffered a leg injury. Unfortunately, the mother and her seven-year- 
old son were completely hit and pulled along over several meters. 

Subsequently, an extraordinary technical background in terms of liability law 
was considered responsible for the collision with the family. The car was equip- 
ped with a Lane Keeping Assist, which was allegedly activated before the first 
collision. As a result, the corrective steering torque would have tried to keep the 
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vehicle on the road while the car with the unconscious driver approached the 
roundabout. According to the assumption that, without a corrective steering tor- 
que, the car might have left the road earlier and the deadly pedestrian collision 
would not have occurred. 

The father who had lost his wife and child wanted justice. Someone should be 
held criminally responsible for the murder that destroyed his life. His question was 
to what extent someone could be held liable for a negligent murder. Therefore, 
he turned to the public prosecutor’s office. 

The lawyer and expert for robot law Prof. Dr. Dr. Eric Hilgendorf was legally 
appointed by the public prosecutor’s office to analyze the case: 

This traffic accident is one of the first cases in which an autonomous assistance 
system is held responsible for significant personal injury and material damage. 
Under civil law such a case is covered by the owner’s liability in German road 
traffic law. The owner of the vehicle is liable for all damages caused by the vehicle 
($ 7 StVG). Liability insurance (see § 1Pf1VG) assumes the settlement of claims 
against the injured party — in this case the surviving father. 

From a criminal law perspective, it must be clarified who is a potential per- 
petrator. Obviously, the vehicle itself cannot be the perpetrator of a crime. The 
driver cannot be accused of any act causing damage or disregarding duty of care. 
Only the vehicle manufacturer or an employee who is responsible for negligence 
in the development, programming or release process of the Lane Keeping Assist 
remains a punishable offender. 

Two possible approaches were considered for the allegation of negligence: 


1. The technical system for active steering support had been defect. 
2. By functional definition, the system worked correctly, but additional safety 
measures would have to be provided. 


While the first point could be excluded, the criticism remained that the system 
was not designed or programmed sufficiently safe. The statements of the public 
prosecutor’s office in this regard are therefore trend-setting: 

“Bereits aus dem Grundsatz der Sozialadäquanz muss ein Sicherungssys- 
tem nicht in der Lage sein, jede technische Möglichkeit auszuschöpfen. Denn 
dies würde bedeuten, dass zwangsläufig jedes Fahrzeug alle nur denkbaren 
Sicherungsmöglichkeiten enthalten müsste. Zwar wäre es durchaus wünschens- 
wert, wenn eine Lenkungsunterstützung neben den Daten des Fahrzeugs auch 
die Gesundheit des Fahrzeugführers überwachen könnte. Es ist technisch mög- 
lich, über Sensoren auch die Herzfrequenz oder (was hier zur Vermeidung 
des Unfalls erforderlich gewesen wäre) die Gehirnströme des Fahrzeuglenkers 
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zu messen und auszuwerten. Allein das Unterlassen solcher Maßnahmen führt 
jedoch nicht zu Pflichtwidrigkeit, da es hier an einem Schutzzweckbezug fehlt. 
Denn durch die Lenkungsunterstützung wird das Risiko eines Unfalls nicht 
erhöht. Sie verlagert allenfalls schicksalshaft den Unfallort.” (Hilgendorf E, 2018; 
Generalstaatsanwaltschaft Bamberg, 2012, AZ 5 ZS 1016/12) 

“Even the principle of social adequacy does not mean that a security system 
must be able to exploit every technical possibility. This would imply that every 
vehicle would inevitably have to fulfill all imaginable safety measures. It would 
certainly be desirable if steering assistance could monitor not only the vehicle’s 
data but also the driver’s state of health. It is technically possible to use sensors 
to measure and evaluate the heart rate or (which would have been necessary here 
to avoid the accident) the brain waves of the driver. However, the failure to take 
such measures alone does not lead to breach of duty, as there is no reference to 
the protective purpose here. Because steering assistance does not increase the risk 
of an accident. At most, it fatefully relocates the location of the accident.” 

These considerations mean that technology is never absolutely safe. The users 
of a certain technology have to accept risks. The manufacturer should not be 
required by law to implement all imaginable hedging possibilities. 

Regarding the criminal law assessment of this Aschaffenburg case, the lawyer 
Prof. Dr. Dr. Eric Hilgendorf tries to further specify the relevant criteria for a 
non-compliance with the duty of care in the manufacture and market introduction 
of technical products. He’s mentioning here “Fahrlässigkeitshaftung und erlaubtes 
Risiko” (Negligence liability and permitted risk) 

The limitations required in criminal liability for defective technology should 
not be placed in the context of protective purpose considerations or in the context 
of an additional category of “objective attribution”, but in the context of checking 
duty of care violations. 

Following this argumentation, the examination for the existence of a breach 
of the duty of care according to Prof. Dr. Dr. Hilgendorf can be structured as 
follows: 


1. A duty of care arises with the predictability of a damage and its avoidability 

2. The degree of required duty of care is determined by the proximity of the 
imminent danger (i.e. the probability of the damage occurrence) and the level 
of the imminent damage 

3. The duty of care is limited by the principle of trust and the principle of 
permissible risk. 
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For Prof. Hilgendorf, the legal concept of “permitted risk” is decisive in the 
assessment of this case. According to Prof. Hilgendorf (with regard to the permit- 
ted risk) the production of risky products is not to be assessed as negligent (and 
thus “permitted”’) if, according to the current opinion of the legal community, the 
benefits associated with the technical products are so great that individual harm 
can be accepted. This principle thus reaches so far that even fatalities by passen- 
ger cars are tolerated — the manufacture of vehicles is therefore not qualified as 
negligent. However, this is only the case if manufacturers do everything reasona- 
ble to reduce the risks caused by their products as far as possible (and reasonable). 
The generation of risks that could reasonably be avoided is therefore not covered 
by the aspect of permitted risk (Hilgendorf E, 2018). 

The criticism against the manufacturer was that introducing the system might 
have been negligent or careless. However, the manufacturer was able to prove 
with tests on competition vehicles that the lane guidance assistant corresponds 
demonstrably to the usual state of the art. 

This case shows that it is difficult for a developer to foresee all eventualities. 
According to the assessment of the lawyers, the manufacturers can only be requi- 
red to make their products as safe as possible within reasonable limits. Occasional 
damage must thereafter be accepted due to the benefits associated with the pro- 
ducts. Basically, no technology is safe. Therefore, the society has to decide in 
each individual case which risk it will tolerate or accept. 

From today’s perspective, a driver monitoring system could have detected the 
unconsciousness of the driver with corresponding technical measures in order to 
initiate risk-reducing measures. After this case became known, Prof. Hilgendorf 
argued that a technical solution for such cases should be considered in further 
new developments (Hilgendorf E, 2015, 2015b, 2019). 

This tragic accident indicates that many new technological risks for automated 
functions in future may not be visible during development and testing. These 
issues arise in real-life traffic situations and developers have to make necessary 
changes to the technology ensuring real-world traffic safety (see Ch. 4). 

Another example is the first recorded fatal pedestrian accident with a self- 
driving test vehicle in Tempe. The complaint in this case states that the collision 
avoidance system did not react. An Uber test vehicle collided with a pedestrian 
and her bicycle in autonomous mode. A 49-year-old woman pushed her bicycle 
across the road with two main lanes and another two lanes for left turners. The 
collision occurred late in the evening on 18 March 2018. Neither the automatically 
driving vehicle nor the responsible safety driver took any measures to prevent or 
mitigate the consequences of an accident. Thus, the incident raises ethical and 
legal questions about the sense and responsibility of vehicle automation. 
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Fig.4.3 Aschaffenburg traffic accident, caused by active steering assistant? (Source: Emily 
Wabitsch, dpa Deutsche Presse Agentur) 


On the basis of published photos of the damaged Volvo XC90, the accident 
site with the end positions and a video of an exterior and interior camera, the 
author was able to create an accident reconstruction with PC crash. Despite the 


4.7 Product Safety Enhancement in Automated Vehicles ... 89 


limited perceptive power of camera sensors in darkness, the pedestrian is clearly 
visible in the published video more than a second before the collision. 

The present accident reconstruction enables further analyses with different 
assumptions for the potential avoidance of human accidents in comparison to the 
machine against the background of the installed camera, lidar and radar sensors 
(see also Annex Fig. A.16). 

Detailed information on the accident is provided by the National Transpor- 
tation Safety Board NTSB in two reports under number HWY18MHO10. A 
preliminary report was published immediately after the crash in 2018 (National 
Transportation Safety Board 2018). A detailed “vehicle automation report” was 
published on November 5, 2019 (National Transportation Safety Board 2019). 

Thus, according to the preliminary record, the Uber test vehicle collided with 
a speed of 39 mph. Roughly 6 seconds before the impact, the vehicle drove at 
43 mph. Already 1.3 seconds before the impact the system had determined that an 
emergency braking maneuver is necessary in order to prevent a collision. Accor- 
ding to Uber, the test vehicle’s emergency braking system was deactivated to 
prevent unintentional behavior. 

According to the data recorder, the modified autonomously driving Volvo XC 
90 drove 44 mph (70.8 km/h) when an object was first detected from the Radar 
sensor 5.6 seconds before the crash. However, it was not recognized as a woman 
crossing the road, but only as a “vehicle” that was not identified as moving in any 
direction. Within the next few seconds, this image classification changed conti- 
nuously. With each new image classification, the previously registered location 
information was reset. The robotic car thought it was constantly recognizing a 
new stationary “vehicle”, “unknown object” or “bicycle”. The object movement 
in the direction of the driving lane of the Volvo was not foreseen for seconds (see 
Annex Fig. A.12). 

Only 1.5 seconds before the crash at 44 mph (70.8 km/h), an unknown object 
was detected by the Lidar sensor which partially moved into the lane of the Volvo. 
The algorithms therefore calculated an evasive maneuver. Exactly 1.2 seconds 
before the crash at 43 mph (69.2 km/h), the Lidar system then detected a bicycle 
on its way into the lane, so an evasive maneuver was no longer possible (see 
Annex Fig. A.12). 

Another problem of the software at that time can be seen here: If the sys- 
tem detected such a hazardous situation, it interrupted for a second to give the 
safety driver time to intervene. A reaction from the Volvo was not designed in 
the software. Therefore, unintended consequences of a wrong intervention were 
prevented. 
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At the end of the one-second interruption, 0.2 seconds before the collision at 
40 mph (64.4 km/h), the safety driver did not react. She looked down and had 
no view on the road. The software was programmed in such a way that it only 
decelerates to the maximum if a collision can be prevented. Otherwise an acoustic 
warning was programmed with only a slight braking. In this specific case, the 
safety driver took over the steering wheel at that moment and thus deactivated the 
slight autonomous braking. It came to a fatal crash and only 0.7 seconds later, at 
a speed of still 37 mph (59.5 km/h), the safety driver began to apply the brakes 
(see Annex Fig. A.12). 

This traffic accident had fatal consequences not only because the sensor system 
was not prepared for people crossing roads unintentionally or against traffic rules 
(jaywalking), but also because the above-mentioned system design decisions have 
been implemented by the software developers. For further scientific findings, this 
pedestrian accident was subsequently investigated in detail by the author with 
an accident reconstruction and then visually simulated by using the PC-Crash 
software from DSD-Datentechnik, which is used worldwide. 

In the following figure (Fig. 4.4) the accident site in the final received simu- 
lation is demonstrated. The point of time directly before the collision, during 
the course of the accident including the final end positions of the pedestrian, the 
bicycle and the Volvo XC 90, are visualized. 


Fig. 4.4 Uber self-driving car accident reconstruction and original final position. (Source: 
Winkle, PC-Crash accident reconstruction software, Google Maps, Tempe Police Station) 
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The pedestrian speed of 4.8 km/h (1.3 m/s) was determined from the video 
with the pedestrian pushing her bicycle across the road (Fig. 4.5 illustration top 
right) and compared with usual pedestrian speeds from expert literature (Bartels 
B, Liers H, 2014). 

A multi-body model supports the visualization of the pedestrian’s first contact 
with the pushed bicycle on the front of the Volvo XC90 (Fig. 4.5 images top 
left and bottom left). The damaged front of the Volvo after the collision with the 
bicycle and pedestrian is documented in Fig. 4.5 below right. 


t=0,92s 
s=1,2m 
v=1,3 m/s 


Fig. 4.5 Uber accident impact simulation with PC Crash and multi-body model. (Source: 
Winkle, PC-Crash accident reconstruction software, Google Maps, Tempe Police Station) 


Assuming a speed of 43 mph (69.2 km/h, 19.2 m/s) and an immediately effec- 
tive emergency braking 1.2 seconds before collision with a deceleration of 8 m/s?, 
the accident would have been avoided. 


km m 
Imph = 1.609344 = 0.44704 — (4.1) 
S 
m 
s = v xt = 19.2 — x 1.2 s = 23.1m (4.2) 
S 


v2 (19.22) m 
2s 2*23.1m s? 


a= (4.3) 
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The best braking coefficients of current vehicle types from 100 km/h are 
between 13.7 m/s? for a sports car and 11.5 m/s? for the Volvo XC 90. 


km m 
1007 = = 62.1 mph = 27.8 — (4.4) 
s 


A Porsche 911 GT3 RS (991 II, production since 2017) came to a standstill 
after 28.2 meters from 100 km/h with two occupants and warm brakes in the test 
(Auto Motor und Sport, 9/2018). This corresponds to a deceleration of 13.7 m/s?: 


v (27.82) m 
EEE 2.97 4. 
ae Peer > 


In June 2015, the general German automobile club (ADAC) tested the brakes 
of a comparable Volvo XC90 D5 with a braking distance of only 33.6 meters. The 
measured braking distances are average values from ten individual braking ope- 
rations each (ADAC Technik Zentrum, 6/2015). The corresponding deceleration 
is thus 11.5 m/s?: 


v (27.82) m 
a ds sai 4. 
"= Fe. 2x33.6m ER Ceo) 


With this average deceleration of 11.5 m/s? for the Volvo XC 90, it was theore- 
tically sufficient in the present pedestrian accident with an initial speed of 43 mph 
(69.2 km/h, 19.2 m/s) if the braking had started 16.1 meters before the pedestrian 
or slightly more than 0.8 seconds before the collision: 


v (19.2)? 


See = 16.1 4.7 

7a patie N ii 
s 16.1 m 

t=—= 922 = 0.8 s (0.8375) (4.8) 


This present traffic accident reconstruction and simulation allows the investi- 
gation of further assumptions with the corresponding effects on the relationships 
between distances, times and speeds (see Annex Fig. A.11). 

The National Transportation Safety Board (NTSB) cited the following as con- 
tributing to the fatal crash: 1. The failure safety driver because she was visually 
distracted throughout the trip by her personal cell phone. 2. Inadequate safety 
risk assessment procedures at Uber’s Advanced Technologies Group. 3. Uber’s 
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ineffective monitoring of vehicle operators. 4. Uber’s inability to address the 
automation complacency of its safety drivers monitoring the automated driving 
systems. 5. The victim was found to have methamphetamines in her system, and 
her impairment may have led her to cross the street outside the crosswalk. 6. Ari- 
zona’s “insufficient” policies to regulate automated vehicles on its public roads 
were found to have contributed to the crash (National Transportation Safety Board 
2019). 

The author’s own experience of previous product liability cases has shown 
that interdisciplinary structured and experience-based development is a minimum 
requirement. In case of damage, the following questions are the key for avoiding 
civil and criminal claims: 


— Has the new system already been checked for possible failures prior to 
development, considering the risks, probability of occurrence and benefits? 

— Can the vehicle be type-approved in the intended technological specification 
in order to be licensed for safe road traffic use? 

— What measures beyond purely legal framework were taken to minimize risk, 
damage, and hazards? 


Essentially, besides general type approval requirements, no globally agreed upon 
and harmonized methods for fully automated vehicles exist today. These can be 
generated using international legally binding development guidelines including 
checklists (similar to the RESPONSE 3) ADAS Code of Practice for the Design 
and Evaluation of Advanced Driver Assistance Systems (“ADAS with active sup- 
port for lateral and/or longitudinal control”) (Knapp A, Neumann M, Brockmann 
M, Walz R, Winkle T, 2009) linked to ISO 26262 (International Organization 
for Standardization, ISO 26262, 2018) in Section 3, Concept phase, Table B.6: 
Examples of possibly controllable hazardous events by the driver or by the persons 
potentially at risk, page 26/27, Controllability. 

Future guidelines will either be orientated towards today’s requirements or to a 
large extend adopt them. The methods for evaluating risk during development (see 
Sec. 4.7.4) ensure that no unacceptable personal dangers are to be expected when 
using the vehicle. Therefore, the general legally valid requirements, guidelines, 
standards, procedures, during development process must at the very least, take 
into consideration as a minimum requirement: 


— Are generally accepted rules, standards, and technical regulations comprehen- 
sively checked? 
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Only complying with current guidelines is usually insufficient. Furthermore, it 
raises the following questions: 


— Was the system developed, produced, and sold with the required necessary 
care? 

— Could the damage that occurred have been avoided or reduced in its effect with 
a different design? 

— How do competitors’ vehicles behave, or how would they have behaved? 

— Would warnings have been able to prevent the damage? 

— Were warnings in the user manuals sufficient or additional measures required? 


Whether an automated vehicle has achieved the required level of safety or not can 
be seen at the end of the development process: 


— Was a reasonable level of safety achieved with appropriate and sufficient mea- 
sures in line with state of the art and science at the time it was placed on the 
market? 


Even after a successful market introduction, monitoring of operation is absolutely 
necessary. This is still the case when all legal requirements, guidelines, and quality 
processes for potential malfunctions and safe use of the developed automated 
vehicle functions have been complied with. The duty to monitor is the result of the 
legal duty to maintain safety as found in Section 823 Paragraph 1 of the German 
Civil Code (BGB) (Kohler H, 2012), where breach of duty triggers liability for 
any defect that should have been recognized as such. This raises the concluding 
question for product liability cases: 


— Was or is the automated vehicle being monitored during customer use? 


4.7.2 Potential Hazard Situations at the Beginning 
of Development 


The day-to-day experience of our technologically advanced society shows: Risks 
and risky behavior are an unavoidable part of life. Uncertainty and imponderables 
are no longer seen as fateful acceptable events but rather as more or less calculable 
uncertainties (Grunwald, 2013, 2016). The results of this are higher demands 
referring to risk management for the producers of new technologies. 
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A structured analysis of the hazards in consideration of all possible circum- 
stances can help to give an initial overview of potential dangers. Therefore, in 
the early development stages it makes sense to provide a complete specification 
of the automated vehicle, to ensure a logical hazard analysis and subsequent risk 
classification (see Sec. 4.7.4). 

On this basis, it is possible for an interdisciplinary expert team (see Fig. 4.11) 
to draw up a first overview of well-known potentially dangerous situations at 
the start of a project. This usually leads to a large number of relevant situati- 
ons. Due to practical considerations, scenarios for expert assessment and testing 
should later be restricted to the most relevant (e.g. worldwide relevant test sce- 
narios based on comprehensively linked up geographically defined accident-, 
traffic-flow- and weather data collections, see Ch. 3). 

According to the system definition, it is recommended to initially gather 
situations on a list or table. This should take the following into consideration: 


— When should the automated function be reliably assured (normal function)? 

— In what situations could automation be used in ways for which it is not 
designed for (misinterpretation and potential misuse)? 

— When are the performance limits for the required redundancy reached? 

— Are dangerous situations caused by malfunctioning automation (failure, break- 
down)? 


Jointly drawing up a maximum number of dangerous situations relevant to the 
system makes it likely that no relevant hazard is omitted or forgotten. Summari- 
zing the risks directly which impact safety is recommended as a next step. After 
cutting the situations down to those that are actually safety-relevant, technical 
solutions will be developed. 


4.7.3 Methods for Assessing Risks during Development 


In discussing phasing out nuclear energy, a German Federal Government publi- 
cation states that German society, as a “community with a common destiny” and 
as part of the “global community of risk,’ wishes for progress and prosperity, but 
only accompanied by controllable risks (Merkel, et. al. 2011). This is surely only 
partially transferable to road traffic, where risks of automated vehicles are limited 
— in contrast to nuclear energy — to a manageable group of people. However, the 
specific requirements for the methods used in analyzing and assessing risks are 
similar. Five common methods are outlined below. 
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4.7.3.1 Hazard Analysis and Risk Assessment 

The hazard analysis and risk assessment procedure (HARA), is described 
and annotated in ISO 26262 Part 3 for functional safety of complex electri- 
cal/electronic vehicle systems as well as in the referring ADAS Code of Practice 
definition for the development of active longitudinal and lateral functions (Knapp, 
Neumann, Brockmann, Walz & Winkle 2009; Donner, Winkle, Walz & Schwarz, 
2007). Parts of the methods given as examples in the following section (HAZOP, 
FMEA, FTA, HIL) as well point to the HARA. Aim of HARA is to identify the 
potential hazards of a considered unit, to classify them, and set targets. This will 
enable dangers to be avoided, thus achieving a generally acceptable level of risk. 
In addition, an “item” is judged on its impact on safety and categorized to an 
Automotive Safety Integrity Level (ASIL). An “item” is defined in ISO 26262 as 
a complex electrical/electronic system or a function that may contain mechanical 
components of various technologies. The ASIL is ascertained through a systematic 
analysis of possible hazardous situations and operating conditions. It also invol- 
ves an assessment of accident severity levels via Abbreviated Injury Scale (AIS) 
(Association for the Advancement of Automotive Medicine, 2005) in connection 
with the probability of occurrence. 

Basically, for the assessment of a technical system, the risk is a central term. 
It is defined as follows: 


Risk = Expected frequency of hazard x Potential severity of harm (4.9) 


For an analytical approach the risk R can be expressed as function F of the 
expected frequency f whereby a hazardous event occurs, and the potential severity 
of harm S of the resulting damage: 


R = F(f, S) (4.10) 


The frequency f with which a hazardous event occurs is in turn influenced by 
various parameters. Another influence on whether a hazardous event occurs, is if 
monitoring drivers or/and other road users involved in the accident can react with 
timely response, preventing potentially damaging effects (C = controllability). 


R = Ff, C, S) (4.11) 
A final proof of controllability should be tested with “naive test persons” in 


relevant scenarios. “Naive test persons” means that they test the automated system 
to be assessed and do not have more experience and prior knowledge about the 
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system than a later user would have. Test scenarios have “passed” if the test person 
reacts as expected before or they respond in an adequate way to control the traffic 
situation. Controllability is categorized in the Code of Practice definition and ISO 
26262 between CO and C3. In the following, the classes CO until C3 of the ADAS 
Code of Practice referring to the ISO 26262 (Fig. 4.6): 


Description Controllable in Simply Normally Difficult to 
(informative) general controllable controllable control or 
uncontrollable 


Definition Distracting More than More than The average 
99% of average | 85% of average | driver or other 
drivers or drivers or traffic participant 
other traffic other traffic is usually 
participants participants unable, or 
are usually are usually barely able, to 
able to control able to control control the 
the damage. the damage.* damage. 


Fig.4.6 Controllability Classes with Note* in ISO 26262. (Source: ADAS Code of Practice) 


The controllability consideration is always relevant when an average driver 
or any human road user can intervene in order to avoid an imminent collision. 
This applies to both mixed traffic and highly automated driving. For professional 
drivers who are particularly familiar with the vehicle this approach is only suitable 
to a limited extent. 

The practical testing experience shows that a number of 20 valid records per 
scenario can provide a basic indication of validity. ISO 26262:2018 Part 3 Concept 
Phase refers to the Classes of Controllability indicated in the ADAS Code of 
Practice: 

“NOTE 1: For C2, a feasible test scenario in accordance with RESPONSE 3 is 
accepted as adequate: “Practical testing experience revealed that a number of 20 
valid data sets per scenario can supply a basic indication of validity”. If each of 
the 20 data sets complies with the pass-criteria for the test, a level of controllability 
of 85% (with a level of confidence of 95% which is generally accepted for human 
factors tests) can be proven. This is appropriate evidence of the rationale for a 
C2-estimate. ...” (see Fig. 4.7) 
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ISO 26262-3:2018(E) 


Table B.6 — Examples of possibly controllable hazardous events by the driver or by the person 
potentially at risk 


Class ofcontrollability (see Table 3) 
co ] cı | c2 | c3 


à Normally control- |Difficult to control 
Simply controllable 
lable or uncontrollable 


Controllable in 


Description 
general 


NOTE 1 For C2, a feasible test scenario 


the rationale for a C2-estimate. 
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Fig. 4.7 Note* in ISO 26262:2018, Test scenario is accepted as adequate. (Source: ISO 
26262:2018, Part 3, Table B.6) 


Controllability via the driver, however, is not present in terms of driverless and 
fully automated vehicles participating in an accident. 

One essential factor to consider is how often or how long a person is in a 
situation where a hazard can occur (E = exposure). The product E x C is a 
measure of the probability that a defect has the potential in a certain situation to 
have a corresponding impact on the damage described. 

A further factor (X = failure rate) can be traced back to undetected random 
hardware failures of system components and dangerous systematic errors remai- 
ning in the system. It gives the frequency of occurrence with regard to E with 
which the automated vehicle can trigger a hazardous event itself. 

The product f thus describes the number of events to be expected during period 
E, e.g. kilometers driven or the number of times a vehicle is started: 


f=E xh (4.12) 
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In the ISO 26262 standard, the following is assumed to be simplified: 
f=E (4.13) 


As a result, the risk R is expressed as a function F of the “probability of 
exposure E”, the “controllability C” and the potential “severity of harm S” of the 
resulting damage: 


R = FŒ, C, S) (4.14) 


The increasing use of complex electronic components in automated vehicles 
requires to consider them with regard to functional safety-related issues. The- 
refore, ISO 26262 stipulates that the Failure in Time (FIT) of technical and 
electronic components must also be considered. The unit FIT gives the number 
of components that fail within 10° hours (see 4.7.6 “proven in use”). 


1 failure 
1 FIT = - - (4.15) 
10°hours of device operation 


Thus, a FIT corresponds: 
gl 
IFIT=1x10 h (4.16) 


The failure rate ^ of a hardware element is variable over time X(t). This rela- 
tion is usually represented by a “Weibull distribution” — often also known as the 
“bathtub curve”. It first describes the “early phase” in which the default rate is 
very high at the beginning due to early failures. Through revisions and impro- 
vements, the failure rate X(t) in the “use phase” only reaches its minimum by 
random failures. Within the operational lifetime of the components, the failure 
rate in the “wearing phase” increases due to, for example, aging effects up to 
uselessness. In relation to the typical course of the “bathtub curve”, the failure 
rate X is assumed to be constant over time t. 


X(t) ~ konst. (4.17) 
Instead of the failure rate as a parameter, a Mean Time to Failure (MTTF) 


can be assumed. In the case of a constant failure rate, the MTTF represents the 
reciprocal value of the failure rate: 
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1 
MTTF = x (4.18) 


For repairable systems, a Mean Time to Repair (MTTR) can now be specified. 
With this MTTR, the Mean Time between Failures (MTBF) can be specified as 
the time between two failures: 


MTBF = MTTF + MTTR (4.19) 


If no repairable element is present or MTTF > MTTR is valid, it can be 
simplified with constant failure rates: 


1 
MTBF = MTTF = x (4.20) 


In the context of the assumption of constant failure rates during the utilization 
phase, an exponential distribution can be derived. The exponential distribution 
is often used in electrical engineering, since this is characteristic for electronic 
components. Within the framework of ISO 26262, an exponential distribution is 
also proposed in the context of the assumption of a constant failure rate (ISO 
26262-5, Annex C.1.2). 


dF(t) _ 


2 Are (4.21) 


fO = 


The reliability R(t) in the reverse of the failure probability can be described 
by: 


Rt) =1- F(t) =e" (4.22) 


Probability of occurrence f and — where possible — controllability C give the 
Automotive Safety Integrity Levels (ASIL). Four ASIL levels are defined: ASIL 
A, ASIL B, ASIL C and ASIL D. Among them ASIL A demands the lowest and 
ASIL D the highest requirement. In addition to these four ASIL levels, the QM 
class (quality management) does not require compliance with ISO 26262. 

An ASIL will be determined for each hazardous event using the “severity”, 
“probability of exposure” and “controllability” parameters in accordance to the 
following table (Fig. 4.8). 

A classification in ASIL A corresponds to a recommended probability of 
occurrence less than 10 per hour and is equivalent to a rate of 1000 FIT. 
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Fig.4.8 ASIL Determination. (Source: ADAS Code of Practice, ISO 26262) 


1 
ASILA < 1* 107° = 1000 FIT (4.23) 


Either rating with a recommended probability of occurrence lower than 107 
per hour into ASIL B or required into ASIL C - corresponding to a rate of 100 
FIT: 


1 
ASILB, ASILC < 1% 107. = 100 FIT (4.24) 


As already mentioned, the highest requirements exist for ASIL D (required 
probability of occurrence smaller than 10°® per hour corresponding to a rate of 
10 FIT): 


1 
ASILD < 1* 107 = 10 FIT (4.25) 


Beyond normal vehicle operation, ISO 26262 also considers service require- 
ments, including decommissioning of the vehicle. In this respect, developers have 
to consider the consequences of aging when selecting components. Control units 
or sensors have to be sufficiently protected by robust design. Any single failure 
must not close down any safety related functions (International Organization for 
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Standardization, ISO 26262, 2018). The main target is to meet a societal and 
individually accepted risk applying measures for enhancing safety (see Fig. 4.9). 


Risk not 
acceptable 


Measures for 
enhancing safety: 
Risk tolerable 


Ethics 


Risk 
societal and a 
individual 


accepted 


Fig.4.9 Measures to increase safety for social and individual accepted risks 


For each hazardous event with an ASIL evaluated in the hazard analysis a 
safety goal shall be determined. The ASIL, as attribute of a safety goal, will be 
passed on to each subsequent safety requirement. Similar safety goals may be 
combined into one safety goal. The safety goal can describe features or physical 
characteristics as a maximum steering wheel torque or maximum level of unin- 
tended acceleration. To comply with safety goals, the functional safety concept 
includes safety measures for: fault detection and failure mitigation; transitioning 
to a safe state; fault tolerance mechanisms, fault detection and warning to reduce 
the risk exposure time to an acceptable interval. The method of ASIL tailoring 
during the development process is called “ASIL decomposition”. A suggested 
measure is an arbitration logic where for example two working systems override 
and take over control from the system, which has failed or which generated a 
contradictory command. 

ISO 26262 specifies recommended techniques which move from “suggested” 
to “required”. If a causing failure is detected, an appropriate system state should 
be transformed by means of a recovery into a system state without any detected 
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errors or faults. This graceful degradation is one way of reducing functionality 
to continue a minimum performance instead of the occurrence of a failure. A 
graceful degradation can be activated as a reaction to a detected failure. Since 
the ASIL decomposition is a very central topic of ISO 26262, it is also dedicated 
to its own chapter (chapter 9 ASIL). The definition of decomposition is given in 
chapter 1: 


“Apportioning of safety requirements redundantly to sufficiently independent ele- 
ments (1.32), with the objective of reducing the ASIL (1.6) of the redundant safety 
requirements that are allocated to the corresponding elements” 


The correct decomposition can be represented by a simple mathematical formula, 
in which the following agreements apply: 


QM x) will be replaced by => 0 (4.26) 
ASIL Ax will be replaced by => 1 (4.27) 
ASIL Bxywill be replaced by => 2 (4.28) 
ASIL C,xy will be replaced by => 3 (4.29) 
ASIL D,x will be replaced by => 4 (4.30) 


The sum of the decomposed elements must be equal to the value of the original 
classification. So, these “calculating methods” are correct: 


ASILnewi + ASILnew2 = ASILold (4.31) 
ASIL Cop) + ASIL Aw) = ASIL D (4.32) 
3 (ASIL Cm) + 1 (ASIL Ap) = 4 (ASIL D) (4.33) 


ASIL D = ASIL Cp) + ASIL Ap) (4.34) 
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4 (asıLD) = 3(asıLcoy) + ! (AsıLco,) (4.35) 
ASILC = ASIL Aw + ASIL Aw + ASIL Aw) (4.36) 
3(ASILC) = 1 (asi aw) + L (asi ao) + 1 (AsıL Aw) (4.37) 


It must always be considered that, for example, an ASIL Ap) does not 
correspond to ASIL A: 


ASIL Ap) # ASILA (4.38) 


This means that if the decomposed elements should be equal parts or the same 
software should be used—then the dependent errors must be analyzed in order to 
detect systematic errors. 

The hardware metrics for the architecture and also the random hardware errors 
which could lead to a violation of the safety target remain the same for the overall 
function! For the decomposed elements a sufficient independence must be shown. 
This applies to the following areas: criteria for co-existence; freedom from inter- 
ference; cascading failures, dependent failures and common cause failures. The 
following requirements must also be applied to all decomposed elements with the 
original requirements of the safety target: 


— Confirmation measures in accordance with ISO 26262-2, 6.4.7 and ISO 26262- 
9, Section 5.4.11 a 

— Integration activities and subsequent activities in accordance with ISO 26262- 
9, Section 5.4.14 and ISO 26262-5 Section 10.4.2 

— Hardware metric analysis in accordance with ISO 26262-9, Section 5.4.13 


If an ASIL D is to be decomposed, then all decomposed elements must meet the 
requirements for ASIL C. What is important is the distinction between decomposi- 
tion and monitoring. During the decomposition, both elements must be redundant 
in relation to the safety target. Thus, for example, both the main computer and 
the safety computer must be able to switch into the safe state independently of 
one another when voltage, current or torque are too high. 

On the other hand, in the case of monitoring, the diagnostic element only tells 
the main computer that something is wrong — but only the main computer can 
transfer the system into the Safe State. Overall, it is required that the developers 
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must specify and document methodologies, best practices or guidelines for each 
phase of the development. 

It is currently being discussed whether the current standard ISO 26262:2018 
can also support using Artificial Intelligence (AI) trained data, which will be used 
increasingly, and how it can be applied. The safety of Artificial Intelligence, which 
is being used increasingly, is still considered as an independent field of research. 
Therefore, the author recommends further developing the current competences 
for the validation of controllability with regard to the influence other human road 
users. In the future, the importance of a systematic risk assessment and a systemic 
approach will increase. 
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Fig. 4.10 Further systematic and systemic competencies in the future. (QM = Quality 
management, A, B, C, D = ASIL A-D requirements) 


In contrast to previously two basic risk management dimensions, more expert 
competence levels will be necessary in the future on the basis of area-wide infor- 
mation, modified systematic and systemic methods in connection with advanced 
controllability evaluations. 
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The influence parameter I stands for area-wide information. It implies that all 
data already available area-wide are used (see Ch. 3). That concerns accident, traf- 
fic and vehicle operating data. As a result, conclusions can also be drawn about 
near-accidents. Variable M stands for modified methods: This would include an 
actualization of the ADAS Code of Practice as well as further development for 
further automation levels corresponding to a Code of Practice for automated dri- 
ving up to level 2. A controllability competence C with experts also enhances 
the third dimension. Such competence includes in-depth driving simulator studies 
or road tests with eye-tracking data to observe scanning behavior and cognitive 
processes including interviews for subjective and additional data. As a result, the 
variables of the formula for the risk assessment expand as follows: 


R=F(E,S,LM,C...) (4.39) 


In addition to the basis of comprehensive, further systematic and systemic 
modified methods M (see Fig. 4.10) will be required in the future. The methods 
of the following subsections (4.7.3.2 to 4.7.3.10), which are already known today, 
will be further developed in the future to understand the systemic interactions and 
mechanisms of automated driving levels. 


4.7.3.2 Hazard and Operability Study - HAZOP 

A Hazard and Operability Study (HAZOP) is an early risk assessment, develo- 
ped in the process industry. A HAZOP looks for every imaginable deviation from 
a process in normal operation and then analyzes the possible causes and conse- 
quences. Typically, aHAZOP search is carried out systematically by a specialist 
team from the involved development units. This is to reduce the likelihood of 
overlooking any important factors (Knapp A, Neumann M, Brockmann M, Walz 
R & Winkle T, 2009). 


4.7.3.3 Systems-Theoretic Methods - STAMP, STPA and FRAM 

With the STAMP and STPA method (Systems-theoretic accident model and pro- 
cesses STAMP and Systems-theoretic process analysis STPA) the US-American 
safety researcher Nancy Leveson developed a model-based hazard analysis 
method, which analyses a safety-relevant system in a structured way using a 
semi-formal model (the so-called Safety Control Structures). 

Objectives of STAMP are the definition of control limits for safe behavior 
of the safety-relevant system, socio-technical understanding of safety in com- 
plex systems, development of strategies for managing dangerous system states, 
support of optimization and adaptation processes for environmental influences, 
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admission of fault tolerances and ensuring the detection and reversibility of faults. 
STAMP uses the safety control structures of a system to analyze control loops, 
to recognize the safety-critical operating processes of a system and to identify 
insufficient control structures (Ross H-L, 2019). The Functional Resonance Ana- 
lysis Method (FRAM) is used to explain specific events which, due to coupling 
and different everyday performances, can lead to unexpected successes and also 
to failures (Hollnagel E 2012). With the support of FRAM for modelling com- 
plex socio-technical systems, mechanisms of road traffic can be differentiated. 
Additionally, the dependencies between the individual system elements can be 
identified and presented separately for the human driver or automation (see also 
Annex Fig. A.16). Subsequently, recommendations for the design of automated 
driving systems can be derived (Grabbe N, et. al. 2020). 


4.7.3.4 Failure Mode and Effects Analysis - FMEA 

Failure Mode and Effects Analysis (FMEA) and the integrated Failure Mode, 
Effects and Criticality Analysis (FMECA) are methods of analyzing reliability 
that identify failures with significant consequences for system performance in the 
application in question. FMEA is based on a defined system, module or compo- 
nent for which fundamental failure criteria (primary failure modes) are available. 
It is a technique for validating safety and estimating possible failure states in the 
specified design-review stage. It can be used from the first stage of an automation 
system design up to the completed vehicle. FMEA can be utilized in the design of 
all system levels (Werdich, 2012; Verband Deutscher Automobilhersteller, 2006). 


4.7.3.5 Fault Tree Analysis - FTA 
A Fault Tree Analysis (FTA) involves identifying and analyzing conditions and 
factors that promote the occurrence of a defined state of failure that noticea- 
bly impacts system performance, economic efficiency, safety, or other required 
properties. Fault trees are especially suitable for analyzing complex systems 
encompassing several functionally interdependent or independent subsystems 
with varying performance targets. This particularly applies to system designs 
needing cooperation between several specialized technical design groups. Examp- 
les of systems where Fault Tree Analysis is extensively used include nuclear 
power stations, aircraft and communication systems, chemical or other industrial 
processes. 

The fault tree itself is an organized graphic representation of the conditions or 
other factors causing or contributing to a defined undesired incident, also known 
as the top event (Knapp, Neumann, Brockmann, Walz & Winkle 2009). As a 
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result, it is a logical diagram which can be either qualitative or quantitative, 
depending on whether probabilities are supplemented. 

Günter Reichart demonstrated the probability of road accidents by the use of 
a fault tree which presumes both: Inappropriate behavior and the existence of a 
conflicting object (Reichart, 2000). 

Figure 4.11 shows an example for a quantitative FTA which results in an esti- 
mation of the probability of the top event (traffic accident with personal or fatal 
injury), which depends on the probabilities of the root causes. This Fault Tree 
Analysis demonstrates that traffic accidents result by the coincidence of several 
causes. A single failure does not necessarily have dangerous impact but series of 
unfortunate circumstances and inappropriate behavior of traffic participants can 
worsen the risk situation to be uncontrollable. Human traffic participants are the 
erucial link in the chain to prevent a car crash (see Ch. 2). Especially automated 
vehicles will require appropriate safety measures. 

Figure 4.11 also demonstrates an excerpt of safety measures for a safe steering 
in case of a fully automated vehicle. 


4.7.3.6 Hardware-in-the-Loop (HIL) Tests 

Increasing vehicle interconnection places particular demands on validating the 
safety of the entire Electronic Control Unit (ECU) network, e.g. onboard wiring 
systems safety, bus communication, vehicle state management, diagnosis, and 
flash application’s behavior. Hardware-in-the-Loop (HIL) tests can be used as 
soon as a hardware prototype of the system or part of it, e.g. an electronic control 
unit in a vehicle, is available. As the Device under Test (DUT), the prototype is 
placed in a “loop,” a software-simulated virtual environment. This is designed to 
resemble the real environment as closely as possible. The DUT is operated under 
real-time conditions (Heising, Ersoy & Gies, 2013). 


4.7.3.7 Software-in-the-Loop (SIL) Tests 

The Software-in-the-Loop (SIL) method in contrast to HIL does not use special 
hardware. The created model of the software is only converted to the code under- 
standable for the target hardware. This code is performed on the development 
computer with the simulated model, instead of running as Hardware-in-the-Loop 
on the target hardware. SIL tests must be applied before the HIL. 


4.7.3.8 Virtual Assessment 

Virtual assessment verifies prospective, quantitative traffic safety benefits and risks 
(see Section 2.1.2). They can be quantified using virtual simulation-based experi- 
mental techniques. For this purpose, traffic scenarios can be modeled considering 
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Fig. 4.11 Fault Tree Analysis (FTA): Functional safety measures prevent traffic accidents 
caused by technical steering failures with the risk of personal injury. Data Sources: ISO 26262; 
* Bubb H, Bengler K, Grünen R-E, Vollrath M, 2015; # GIDAS; Chapter 3: Poor visibility 
scenarios 


safety-relevant key processes and stochastic simulation using large representative 
virtual samples. Virtual representations of traffic scenarios are based on detailed, 
stochastic models of drivers, vehicles, traffic flow, and road environment, along 
with their interactions. The models include information from global accident data 
(see Ch. 2), Field Operation Tests (FOT), Natural Driving Studies (NDS), labo- 
ratory tests, driving simulator tests, and other sources. Wide ranging, extensive 
simulations help identifying and evaluating safety relevant situations of automated 
vehicles. 


4.7.3.9 Driving Simulator Tests 
Driving simulator tests use models of vehicle dynamics and virtual driving sce- 
narios. They allow artificial driving situations and repeatable tests with various 
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subjects. Potentially hazardous traffic scenarios can also be tested because in con- 
trast to real driving the virtual scenario is harmless. Different types of simulators, 
such as mock-up, fixed based simulator, or moving base simulator do exist. Sub- 
jective and objective methods can be exploited to measure the performance of test 
subjects in the driving task. Depending on the kind of potentially hazardous situa- 
tions controllability can be tested by some of these methods. Typical situations for 
driving simulator tests are high risk situations, driver take over reactions or inter- 
action between automated driving system environment monitoring and manual 
human driver mode. 


4.7.3.10 Driving Tests and Car Clinics 

Driving tests with different drivers provide useful feedback based on empirical 
data. Dynamic car clinics allow testing of driver behavior and performance while 
driving the automated vehicle in defined situations within a realistic environment. 
In a first step the objective is to identify relevant scenarios and environments 
(see Ch. 3). This enables to specify and implement virtual tests followed by con- 
firmation via driving tests and car clinics on proving grounds. Finally, before 
sign off and start of production (SOP) field tests confirm identified scenarios and 
environments if necessary. 


4.7.4 Approval Criteria from Expert Knowledge 


During the approval process, test procedures must be provided. Approval criteria 
in terms of “passed” and “not passed” are thus recommended for the final safety 
verification of automated vehicles. Regardless of which methods were chosen 
for final sign-off confirmation, the experts should all agree on which test criteria 
suffice for the vehicle to cope successfully with specified situations during a sys- 
tem failure or malfunction. Generally accepted values for achieving the desired 
vehicle reactions should be used for such criteria. An evaluation can result by 
using established methods. 

Taking the list of potential hazard situations as a basis (see Ch. 3), test criteria 
for safe vehicle behavior, and if possible also globally relevant test scenarios, 
are developed by internal and external experts. A team of system engineers and 
accident researchers is particularly required. The former group offers knowledge 
of the precise system functions, time factors, and experience of potential failures, 
while accident researchers bring with them practical knowledge of high-risk traffic 
situations (see Ch. 2). Every known risky situation that a vehicle can get into must 
be considered. At least one corrective action with regard to safety requirements 
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should be specified by the developers for the risks identified. In terms of final 
sign-off confirmation, a test scenario has thus been “passed” when the automated 
vehicle reacts as expected or otherwise deals with the situation in a satisfactory 
accepted manner. 


4.7.5 Steps to Increase Product Safety of Automated Vehicles 
in the General Development Process 


To guarantee the product safety of automated vehicles, a thorough development 
concept is needed that is at least in line with state of the art and science. To 
this end, a general development process is proposed below, as is principally in 
use amongst car manufacturers for the development of series production vehicles, 
partially with small adjustments. For highly automated vehicles the development 
refers to measures regarding the safety process, activities to ensure controllability 
and appropriate human machine interaction (see Fig. 4.12). 

The generic development process for fully automated vehicle functions focuses 
on expert knowledge, the safety process and as is represented graphically as a V- 
Model (see Fig. 4.12). As well as the development stages for the high automation 
it builds logical sequences of product development phases and selected milestones 
but not necessarily how long each stage lasts or the time between phases (Knapp, 
Neumann, Brockmann, Walz, Winkle, 2009). 

The process of methods thus forms a simplified representation in the form of a 
V-Model. This allows for iteration loops within the individual development phases 
involving all parties. Within this V-shaped process structure (see Fig. 4.13) ele- 
ments of the safety process are taken into consideration. In addition, early and 
regular involvement of interdisciplinary expert groups is recommended. From 
the definition phase until validation, sign-off, and start of production — experts 
from research, (pre-) development, functional safety, product analysis, legal ser- 
vices, traffic safety, technology ethics, ergonomics, production, and sales should 
participate in the development process. 

In the development steps for advanced automated vehicles, product and func- 
tional safety stands out as a key requirement. It relates to the whole interaction 
between the vehicle and its environment. Save driver interaction and take-over 
procedures (Bengler, Flemisch, 2011; Bengler K, Zimmermann M, Bortot D, 
Kienle M & Damböck, 2012) should thus be considered when there is an inter- 
face necessary to the use case and functionality. Concerning product safety, fully 
automated vehicles essentially include five usage situations. 
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Fig. 4.12 Development process for highly automated vehicles from the idea until market 
introduction: involving the safety process, activities regarding controllability and human 
machine interaction. (Source: Author, ADAS Code of Practice) 


Ensuring functional safety of fully automated vehicles 


1. within performance limits 
2. at performance limits 
3. beyond performance limits 


Functional safety should be examined: 


4. during system failures 
5. after system failures 


Careful development with regard to a safe usage of driverless vehicles must ensure 
they are able to recognize the criticality of a situation, decide on suitable measures 
for averting danger (e.g. degradation, driving maneuver) that lead back to a safe 
state, and then carry out these measures. The requirements to be fulfilled from the 
above V-model, which correspond to the overall product life cycle, are extensive 
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Fig. 4.13 Development process for automated vehicles as a V-Model from the idea until 
market introduction involving recommended experts and the elements of functional safety. 


and necessary for a completely new development. However, most systems are not 
developed from the very beginning, but on the basis of existing components. Such 
existing components have been in use for a long time without any problems or 
errors. A developer does not want to have to carry out a new development for a 
component that has already proven itself in operation. In this case, a component 
can be qualified for use in a new automated driving system by verifying proven in 
use. When demonstrating “proven in use”, it must be proven that the development 
was carried out carefully and meets the relevant requirements. In addition, it must 
be confirmed that systematically collected data have shown that errors (see 4.7.3.1 
“failure in time”) have occurred sufficiently rarely (see ISO 26262 Part 8 Para- 
graph 14). This proof is based on consistent configuration management during 
development and the evaluation of errors during operation. 

Fig. 4.14 gives an overview of a possible workflow regarding final sign-off, up 
to decommissioning of a vehicle. In the final stages of developing an automated 
vehicle, the development team decides whether a final safety test for validation is 
required. This is to confirm that a sufficient level of safety for production has been 
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reached. For this, the development team verifies that a vehicle reacts as previously 
predicted or in other ways appropriate to the situation. The data used here may 
come from risk assessment methods used during development, such as hazard and 
risk analysis. There are three equally valid paths for signing off vehicles. A direct 
sign-off will be carried out through an experience-based (e. g. proven in use) 
recommendation of the development team. In addition, final evidence of safety 
can be passed after corresponding reconfirmation via an interdisciplinary forum 
of internal and external experts or an objective proof. Evidence of functional 
safety is possible via means of a confirmation test with relevant traffic scenarios 
based on accident-, traffic-flow-, weather- and vehicle operation data (see Ch. 3), 
or other verifiable relevant samples (see Fig. 4.14). 
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Fig.4.14 Recommended sign-off process for automated vehicles 


The development team chooses an appropriate path for each individual scena- 
rio. A mixed approach is also possible. When the safety team has conclusively 
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confirmed the safety of the system design functionality, the final sign-off can be 
given (see Knapp, Neumann, Brockmann, Walz, Winkle, 2009). 


4.7.6 Product Monitoring After Market Launch 


Subsequently to the careful development, a manufacturer is obliged to moni- 
tor automated vehicles after placing them on the market, in order to recognize 
previously unknown hazards and takes necessary additional safety measures. If 
necessary, car manufacturers are urged to analyze potential dangers (that can also 
arise in unintended use or misuse) and react with appropriate measures, such as 
product recalls, redesign, or user information (see Fig. 4.14). 

A judgment of the German Federal Court of Justice (BGH) is often quoted 
amongst product safety experts as a particular example of the product-monitoring 
duty for combination risks with third-party accessories. Model-specific motor- 
bike handlebar cladding, from accessories that had first been passed by officially 
recognized experts from a testing organization in June 1977, were supposed to 
have been responsible for three spectacular accidents including one fatality. On 
the day before the fatal accident, the motorcycle manufacturer in question wrote 
personal letters to warn all the riders of the affected model it had on record. The 
victim, however, never received the letter. Although the motorbike manufacturer 
expressly warned of using the cladding, the company was ordered to pay damages. 
The BGH established a fundamental judgment concerning this matter: 


„Eine Pflicht zur Produktbeobachtung kann den Hersteller (und dessen Vertriebsgesell- 
schaft) auch treffen, um rechtzeitig Gefahren aufzudecken, die aus der Kombination 
seines Produkts mit Produkten anderer Hersteller entstehen können, und ihnen 
entgegenzuwirken.“ (Bundesgerichtshof BGH, 1987) 


In future, companies will not only be required to monitor the reliability of their 
products in practice but, above all, to refer their customers to any hazards in 
daily operation — including those that arise from the application or installation of 
accessories of other manufacturers. 


4.7.7 Steps for Internationally Agreed Best Practices 


Due to their networking and complexity, it will be difficult to get a clear over- 
view about all the risks of automated vehicles in series operation. Therefore, the 
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objective is to establish worldwide agreed best practices for legislation, liability, 
standards, risk assessment, ethics and tests. 

The ADAS Code of Practice as a result of the Response 3 project was a funda- 
mental step towards commonly agreed and legally binding European guidelines 
for advanced driver assistance systems. ADAS systems were characterized by 
all of the following properties: They support the driver in the primary driving 
task, provide active support for lateral and/or longitudinal control with or without 
warning, detect and evaluate the vehicle environment, use complex signal proces- 
sing and interact directly between the driver and the system (Knapp, Neumann, 
Brockmann, Walz, Winkle, 2009). 

Primarily ADAS systems operate rule based at the maneuvering level (between 
about one and ten seconds) and furthermore within parts of the skill-based stabili- 
zation level (time spans less than one second). High and fully automated vehicles, 
on the other hand, intervene knowledge-, skill- and rule-based for more than one 
second at all driving levels (see Fig. 4.15). 

Increasing sensitivity for defects is visible through a significant growth in pro- 
duct recalls worldwide. If unknown failures appear after vehicles have gone into 
production, appropriate measures have to be taken where necessary according to 
a risk assessment. 

For analyzing and evaluating risks stemming from product defects after market 
launch (in view of the necessity and urgency of product recalls) the EU and the 
German Federal Motor Transport Authority (Kraftfahrtbundesamt) use tables from 
the rapid alert system RAPEX (Rapid Exchange of Information System) (Euro- 
pean Union, 2010). To classify risks, first accident severity (extend of damage 
S according to AIS, for example) and probability of harm are assessed — simi- 
larly to the ALARP principle (As Low As Reasonably Possible) (Becker, et. al. 
2004), the ISO 26262 standard (International Organization for Standardization, 
ISO 26262, 2018), and ADAS Code of Practice for active longitudinal and lateral 
support. The degree of risk is derived from this. Final assessment concerning the 
urgency of required measures looks at the risk of injury for those at particular risk 
of being injured (as influenced by age, state of health, etc.) and hazard for a men- 
tally healthy adult, and the use of protective measures as appropriate warnings 
(see Fig. 4.16). 

With regard to the injury risk classification between “vulnerable humans” and 
“healthy adults” (Fig. 4.17) Kalache and Kickbusch — members of the Ageing 
and Health Program within the World Health Organization — published a report 
with a well-accepted concept in 1997. They showed that functional abilities, such 
as muscle strength and cardiovascular performance, peak in early adulthood and 
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Fig. 4.15 Worldwide agreed legislation, standards, ethics, tests for highly/fully automated 
vehicles with integration of knowledge-based navigation, skill-based stabilization and rule 
based maneuvering levels (globe = outer circle). Further development of the ADAS Code 
of Practice for active longitudinal and lateral support or intervention in dangerous situations 
(ADAS = blue circle). 


decrease linearly with age. Furthermore, the physical capacity of the population 
varies with age. 

The illustration Figure 4.17 suggests that every human being in early adult- 
hood has a similar functional capacity, which depends on lifestyle, disposition 
and environmental factors. The author’s many years of experience in road acci- 
dent research confirm that age-dependent functional capacity has an influence on 
injury risk. 
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Fig.4.16 Risk assessment and derivation of essential measures in accordance with RAPEX, 
ALARP and ISO 26262. (Sources: RAPEX, ADAS Code of Practice, ISO 26262, ALARP) 
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Fig.4.17 Impact ofinjury risk by age and functional capacity. (Source: Winkle, T. According 
to: Kalache A, Kickbusch I. 1997, A global strategy for healthy ageing) 
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The following questions relate to the activities for functional safety manage- 
ment: 


— Are people responsible for the specified safety cycle named? 

— Are the developers and quality managers informed about the scope and phases? 

— How are the proofs for quality and project management provided? 

— Were the ASILs derived correctly and assigned correctly based on the risk of 
a dangerous event? 

— Which criteria are used to decide whether it is a new development or just a 
product takeover? 

— How are the results of the risk analysis documented and communicated? 

— Which processes are used to support hardware development? 

— Were adequate measures taken to avoid systematic errors in highly complex 
hardware? 

— Which activities were defined for all V-Modell phases? 

— What ensures that only the desired functions, but no unwanted functions are 
included? 

— Which measures ensure that the integrated software is compatible with the 
software architecture? 

— Have the required methods been applied for the ASIL to be achieved in 
accordance with the design, the software and hardware components used? 

— Are relevant methods intended for test cases to be tested? 

— Are necessary maintenance schedules and repair instructions created? 

— Which requirements must be fulfilled for a project safety plan? 

— How are changes to safety-relevant components analyzed and controlled? 

— Isa sufficiently independent auditor or assessor integrated into the development 
process? 

— Are the necessary processes documented for all project participants? 

— How is the final system and application safety documented? 


(see Annex Fig. A.3, Example documentation sheet of the ADAS Code of 
Practice) 

4.8 Conclusion and Outlook: 

Automated driving is currently the focus of legal interest. In 2017, the “Au- 


tomated and networked driving” ethics commission appointed by the German 
Federal Minister of Transport presented its report. At the same time, the new 


120 4 Technical, Legal, and Economic Risks 


German Road Traffic Law came into force. In the current version in $ 1 b StVG, 
the passage “The vehicle driver may (...) turn away from traffic events and vehicle 
control” is inserted. However, he “must remain so attentive” that he can take over 
control “at any time”. In addition the ECE R 157 (level 3) and a further Ger- 
man law create the legal framework for autonomous vehicles (level 4) in defined 
operating areas on public roads. 

In both cases, the main focus was not to hinder any development that could 
be expected to have a clear potential for damage avoidance and damage mini- 
mization. It follows that remaining risks do not stand in contrast to the new 
technology if they contribute to a fundamentally positive risk balance (BGH 
decision). Dilemma situations have always served to clarify ethical and legal prin- 
ciples, such as in the famous example of the so-called “trolley case”. The answer 
of the law here is clear: the killing of a human being with the intention of saving 
others from certain death may be excused in a concrete case, but it remains illegal 
in any case. The solution is therefore to avoid accidents at any rate by adapting 
and forward-looking driving. 

Shifting responsibility from the driver or holder to the person responsible for 
the technical systems in the sense of product liability is under discussion. In 
the sharing of the driving task between a human driver and a technical system, 
the responsibility must be redefined, as humans and machines occur in a shared 
driving task. The German liability system ultimately passes the risk of an accident 
on to the owner of the vehicle. Furthermore, the manufacturers are liable within 
the framework of mandatory product liability. With this shift in liability, it must 
also be discussed how much safer a technical system must be statistically seen so 
that it is accepted by society and which methods lead to a reliable confidence. 

On the one hand, society’s expectations are understandable as they increasingly 
require the highest, state-of-the-art levels of safety for new technologies. On the 
other hand, unrealistic demands for technical perfection and the striving for 100% 
fault-free operation may hinder automated vehicles from being launched on the 
market, and thus the chance of revolutionary potential benefits. 

The market launch of highly and fully automated vehicles has barriers pla- 
ced in its path. The first vendors on the market (the pioneers) therefore take on 
increased risks at the outset, so that the potential total benefit of these new techno- 
logies to society can only be achieved together with all parties. Homann describes 
these decision conflicts during market launch by the decision theory concept. To 
overcome this dilemma as it pertains to highly and fully automated vehicles, the 
incalculable risks for manufacturers must be made assessable and determinable 
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through new institutional arrangements (Homann, 2005). Unconditional informa- 
tion and transparent policy encourage and accelerate public discourse across all 
disciplines. 

Due to previous licensing requirements for series production vehicles, drivers 
almost always have to keep their hands on the steering wheel and permanently 
stay in control of the vehicle. Automated vehicles and vehicle developments by IT 
companies, car manufacturers, and component suppliers will also be required to 
have a human driver as a responsible backup level in complex traffic situations 
for the nearby future. 

Driverless vehicles, on the other hand, signify the beginning of an utterly new 
dimension. New approaches and activities are essential (Matthaei, et. al. 2015). 
It is required to orientate ourselves to the future potential of automated driving 
functions, to learn from previous patterns and within the bounds of what is tech- 
nically and economically reasonable and adjust old methods to valid state of the 
art or state of science (Scharmer, Kaufer, 2013). 

Besides generally clarifying who is responsible for accident and product risks, 
new accompanying measures depending on different automation and development 
levels are also of use for a successful market launch and safe operation. This 
includes identifying relevant scenarios, environments, system configurations and 
driver characteristics. Relevant maneuvers of driving robots have to be defined and 
assessed for example using accident data (see Ch. 2) and virtual methods. Further 
investigation of real driving situations in comparison with system specifications 
with tests on proving grounds, car clinics, field tests, human driver training or spe- 
cial vehicle studies are recommended. For the required exchange of information, 
storage of vehicle data (e.g. Event Data Recorder) and possible criminal attacks 
protective technical measures are necessary (see Ch. 4). Beside challenging and 
agreed data protection guidelines (Hilgendorf, 2015), experts in technology ethics 
will ensure compliance to ethical values. Within this, safety requirements have 
to be answered in terms of “How safe is safe enough?” Expert experience can 
also decisively contribute to increasing safety and meeting customer expectations 
for acceptable risks. In the light of increasing consumer demands, such expe- 
rience — particularly of previous product liability procedures — makes a valuable 
contribution to improving product safety during development and approval stages. 
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Before highly complex automated vehicle technologies — which will addi- 
tionally be applied in a multi-layered overall system — can go into mass 
commercialization, interdisciplinary concerted development and sign-off pro- 
cesses are required. A reliable evaluation for sustainable solutions ready for 
production demands new harmonized methods for comparable safety verification, 
e.g. by simulating relevant scenarios (Kompass K, et. al. 2015; Helmer, 2015) 
including the planning of field tests (Wisselmann, 2015) from worldwide availa- 
ble and combined accident-, traffic-flow-, weather- and vehicle operation data (see 
Ch. 3). This also applies to fulfilling legal and licensing regulations, identifying 
new options for risk distribution (see Matthaei et. al. 2015), and creating new 
compensation schemes. 

To verify the duty of care in existing quality management systems, it is recom- 
mended to further develop experience-based, internationally valid guidelines with 
checklists built on the ADAS Code of Practice (Knapp et. al. 2009; Becker, 
Schollinski, Schwarz, Winkle, 2003). These standards will further embody and 
document state of the art and science within the bounds of technical suitability 
and economic feasibility. The ADAS Code of Practice was developed to provide 
safe Advanced Driver Assistance Systems, with active support of the main driving 
task (lateral and/or longitudinal control, including automated emergency brake 
interventions — AEB), on the market and published 2009 by the European Auto- 
mobile Manufacturers Association (ACEA). It corresponds with the ISO 26262 
for requirements of electrical, electronic and software components. As a deve- 
lopment guideline it contains recommendations for analysis and assessment of 
ADAS Human Machine Interactions with occurrence during normal use and in 
case of failure (Knapp et. al. 2009; Donner, Winkle, Walz & Schwarz, 2007). 
With increasing levels of automation upgrades of functional safety, controllability 
(ISO 26262, ADAS Code of Practice) and other standardized methods will be 
necessary such as virtual simulation (Helmer, 2015). Today the standards do not 
cover functional disabilities for instance misinterpretation of objects, traffic situa- 
tions and resulting false positive system interventions. An integral, scenario-based 
approach is recommended because automated systems will be able to control sce- 
narios. In the event of serious malfunctions that threaten severe damage, product 
experts from the development process should be involved in the study of the cau- 
ses and be listened to. Motor vehicle experts who are not directly involved in 
the development should acquire the expertise to be able to provide a specialist 
appraisal of new technologies in court. 
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In the development of automated driving, networked thinking covering all dis- 
ciplines is required with a flexible, yet structured area for action. So far, the 
development has opened up an unknown world with many uncertainties that may 
cause reservation and resistance. For a successful launch of automated vehicles 
ready for production, insights collected in vivo from both the past as well as 
the present, are essential prerequisites. Despite the technical, legal, and economic 
risks, production readiness will be of benefit to society in this way. 
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The previous chapters indicate that development approaches using innovative 
technology or Artificial Intelligence must be reviewed against the background of 
the increasing demands on interdisciplinary project teams as well as the growing 
complexity of automotive functions. As a result, proven management systems and 
system engineering approaches must be redefined or modified appropriately. 

Interviews with engineers, executive managers and a psychologist from the 
development department of automobile manufacturers show that a structured gui- 
ded process increases quality in respect of operational and functional safety. The 
final consulting concept (checklist with 303 questions in Annex B) includes guide- 
lines in addition to the aforementioned requirements. It will support the efficient, 
user-friendly development of new functions. 

In the subsequent empirical part, the previous lessons learned described above 
are supplemented by feedback from internal consultancy work between car manu- 
facturers. After twenty years of professional experience in consulting and advisory 
activity on the development of safe, innovative vehicle systems the author con- 
ducted structured surveys with responsible developers, top executive managers 
and group leaders. The interviews were carried out with the aim of examining 
the need and acceptance of a structured, guided development process using the 
example of the “Code of Practice for the Design and Evaluation of ADAS”. This 
internationally coordinated development guideline was created for the safe market 
introduction and reduction of product liability risks concerning advanced driver 
assistance systems (see Ch. 4). 
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5.1 Response from a Guided Development Process 


A guided development process has the goal to support all involved developers 
at each stage with methods and checklists from the concept idea to the release 
and the market launch. The use of guiding documents, such as the ADAS Code 
of Practice, ensures that appropriate procedures and specification processes for 
the development of new systems are applied. As a result, the developer achie- 
ves adequate safety. At the same time, by processing checklists for specifying or 
evaluating, it is ensured that no significant aspects are overlooked during deve- 
lopment. Furthermore, compliance with the required due diligence or “Duty of 
Care” is documented and proved. 

Using prepared qualitative interviews, the author received extensive feed- 
back on the conception of a guideline-structured development process from 
Southern German automotive manufacturers. Ten employees were interviewed 
from administrative and technical staff up to executive management in the techni- 
cal development of future assistance systems. Among them were six development 
engineers, one psychologist within the development and three executive managers. 

Four engineers had experience on guideline-supported development through 
application of the ADAS Code of Practice in the context of development or cor- 
responding preparation. Engineer 6 had superficial knowledge while Engineer 5 
was unfamiliar with guided development. The psychologist and the three execu- 
tive managers were familiar with the content of the ADAS Code of Practice (see 
Fig. 5.1). 

Further background information on the 10 interviewed experts with departmen- 
tal affiliation and experience with guideline-supported development for specific 
tasks is provided below (see also Fig. 5.2): 


e Development engineer 1 from the chassis development department: 8 years 
ago, he himself applied the ADAS Code of Practice for the first “lateral gui- 
dance assistant” in series development. Subsequently, he moved to another area 
of chassis development. 

e Development engineer 2 Research/pre-development: he applied the ADAS 
Code of Practice in a research project on the “emergency braking” function. 

e Development engineer 3 from pre-development: he has been familiar with 
the ADAS Code of Practice since its publication in 2006. As part of a pre- 
development project, he initiated the first steps for an automated function using 
this guideline and then forwarded the checklist to the next development phase. 
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Fig. 5.1 Overview of the interviewed experts with different experience on guideline- 
supported development 


Development engineer 4 from chassis development: he knows the ADAS Code 
of Practice very well. He has applied the guidelines for the series development 
of emergency brake functions to the product line. 

After completing his doctorate, development engineer 5 is currently working 
on assistance systems. In future, he will be responsible for the series develop- 
ment of a “traffic jam assistant” in a new vehicle series. He is not familiar with 
the content of the ADAS Code of Practice. 

Development engineer 6 has recently become a developer in charge of the 
future series development of automated driving functions. He has not yet 
applied the ADAS Code of Practice, but is familiar with it. 

The Psychologist, like the development engineer 6, has recently been in charge 
of the future series development of automated driving functions. Prior to this, 
he had already conducted numerous car clinics with naive subjects as well as 
driving tests with professional test drivers on behalf of automobile manufac- 
turers at a university. He has also not yet applied the ADAS Code of Practice 
but is familiar with the guideline, too. 
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e Executive Manager 1 from chassis development — driver assistance systems, 
has previously asked his employees about their experiences with the ADAS 
Code of Practice. 

e Executive Manager 2: development of overall vehicle concept, process con- 
trol, homologation, regulations and type testing. He is familiar with the content 
of the ADAS Code of Practice 

e Executive Manager 3: development of vehicle safety, integral safety and 
assistance, knows the ADAS Code of Practice. He is also familiar with the 
content. 


The extension to the overview of all interviewees shows that they are mainly 
active in series development. Two engineers work in research and/or pre- 
development (Fig. 5.2). 

Executive manager 2 is responsible for the final steps of the development pro- 
cess, in particular the topics of homologation, compliance with regulations, type 
testing and obtaining final approval from the technical department. Engineers 1 
to 4 who have used the ADAS Code of Practice in their development tasks have 
an average professional experience of between five and fifteen years. In contrast, 
engineers 5 and 6, as well as the psychologist with a lower level of work experi- 
ence between 6 and 12 months have no personal experience with guideline-based 
development work. Engineer 5 has not yet been familiar with the contents of 
ADAS Code of Practice. The three executives with many years of professional 
experience of between 20 and 35 years are familiar with the contents and the 
objective of this ADAS guideline. 

The survey focused on the following topics: 


Success and/or failure of guided development projects 

Different perceptions, expectations, ideas and conceptions about the optimal 
development process 

Liability-based product responsibility of the developers 

General developer’s attitude to the development process 


An elaborated interview guide (see Annex C) served as a support for the mode- 
ration strategy. In order to ensure a smooth conversation, the chronological order 
of the topics was flexible. The arrangement of the questions in the interview was 
adapted to the course of the interview. The duration of each interview was between 
35 and 70 minutes. 

To obtain an overall picture, the survey was taken by both: developers who 
were in favor of structured guidance support and by those who rather see obstacles 
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Fig. 5.2 Interviewed experts with business unit, professional experience and development 


tasks. (Source: Winkle Interview Analysis) 


(see Sect. 5.2 to 5.6). All developers who took the survey had already been in con- 
tact with the guide or the checklists. Four of the developers had already worked 
actively with the ADAS Code of Practice. The three executives surveyed were 
familiar with the guide, but had not yet used it themselves. 

For the detailed evaluation, the interviews were recorded with an audio device 
and subsequently transcribed. The transliterated results could thus be structured 
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and evaluated (Kuckartz U, 2016). By means of grouped statistics, the frequency 
of most frequently used topics of the interview feedback reports was emphasized 
according to their nomination. This makes it possible to recognize the essential 
subject areas and to evaluate them in comparison with the transcript (Mertens D 
M, 2019; Scheu A M, 2018). To analyze the words and the graphical representa- 
tion, general-purpose software Microsoft Word and Excel was used, applying the 
mixed-method approach (Döring M, Bortz J, 2016). 

The transcripts of all interviews contain 50,124 words and include 4444 nouns. 
All the nouns were evaluated in addition to the further analysis of the interview 
content. Of the total, 2703 nouns are attributable to the 6 developers, 387 to the 
psychologist and 1354 to the executives (see Fig. 5.3). 


Transcript 
All words; 
50124 


All Nouns: 
4444 


Psychologist 387 


Fig. 5.3 Transcript Data for analysis: words and nouns. (Source: Winkle T, Interview 
Analysis) 


Initially, this evaluation considers the frequently used topic areas (nouns) of 
the employees in development. Three groups with six development engineers, one 
psychologist within the technical development and three executive managers were 
formed based on meaningful differences between the participants’ tasks. 

During the interviews, the three groups focused on very different topics. This 
alone illustrates the complexity of a successful collaboration. 
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5.2 Engineers: Sensible Creativity under Time Pressure 


Of course, it is beyond a doubt that developers are constantly focusing on the 
functionality of their “system” (60 nominations). Further on, the evaluation of 
all feedback from the development engineers shows “questions” (52 nominations) 
together with “question” (48 nominations) as the most frequently cited word, 
which tells us something about the engineer’s approach: first he asks questions 
and then works on solving the technical challenges. 

It goes without saying that particularly amongst engineers “development” (42 
nominations) and “developers” (29 nominations) appear as part of their daily work 
content. The factor “time” (32 nominations) is conspicuous and is mentioned 
much more frequently amongst the engineers who have to develop the new system 
than it is by the psychologist and the executives. In particular, the introduction of 
additional “topics” (34 nominations) or “documents” (29 nominations) raises the 
question of the “sense” (28 nominations) (see Fig. 5.4). 
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Fig. 5.4 Feedback from development engineers, analysis from 2703 nouns with minimum 
19 nouns used. (Source: Winkle T, Interview Analysis) 
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A clear reply from the interviews is that daily development activities are sub- 
ject to colossal time pressure. A wide range of different work contents demands 
flexibility. It is only on rare occasions that the developers are able to plan for a 
long time in advance. The developers are subject to a tight schedule and have to 
deal with a lot of documentation, instructions and tools. This is why current work 
orders are prioritized by urgency. 


5.3 Psychologist within Development: Priority to Driver’s 
Needs 


The task of the interviewed psychologist within the technical development who 
works in the area of chassis/driver assistance systems is to continue the develop- 
ment of a controllable driver assistance system that is already in series production. 
He plans to work with a guideline and checklists in the future. 

Within the scope of these interviews, the psychologist’s focus is on the functio- 
nality of the “system” (24 nominations). He frequently mentions the noun “clinic” 
(10 nominations) which may be interpreted as an expression of his commitment to 
carry out scientific tests. Topics such as “driver” (11 nominations), “development” 
(9 nominations), and “item” (7 nominations) are also mentioned more frequently 
than was the case with the surveyed development engineers (Sect. 5.2) and exe- 
cutives (Sect. 5.4). This confirms the expectation that the psychologist mainly 
considers the drivers from the point of view of their different driving behavior, 
expectations, abilities and limitations. 

Thus, the needs of the drivers have top priority: 


„(...) dass man sich insgesamt bei der Entwicklung mehr Gedanken drüber machen 
muss, was macht der Fahrer, was braucht der Fahrer, und was braucht der Fahrer 
nicht.“ (... that in development you have to worry about: what is the driver doing, 
what does the driver need, and what doesn’t the driver need.) 


In this process he considers it extremely important to insure the controllability of 
the driver assistance or automated system through use of a “clinic” to deliver final 
proof of a safe “development”. 

With the help of a process consultant, their aim is the preparation of a car 
clinie: 


„(...) dass man eben sagen kann, wir wollen eine Studie machen, und dann haben wir 
da Leute, mit denen wir da immer sprechen können und die uns erklären, wie so eine 
Studie aussehen könnte.“ (... you could say that, we want to carry out a clinic and 
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now we have people available, who we can always talk to, and who can explain to us 
what format the study should have.) 


Moreover the topics “standard” (6 nominations) and “code of practice” (6 nomina- 
tions) are frequently mentioned in connection with guideline-based development. 

At this point the psychologist takes particular care to ensure that sufficient 
design flexibility remains without restrictions during development of the system. 
To receive an honest evaluation in respect of observed requirements, he considers 
that an external consultant is needed — someone from outside the development 
department who could impartially assess the system. Consequently, he uses the 
word “department”, with 6 nominations, remarkably often. He points out that the 
opinion of experts within their own department is not easily changed by external 
opinions originating from outside the department. In addition, the psychologist 
considers the business policy scope. Different business units need to cooperate 
closely to achieve a successful company result (see Fig. 5.5). 
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Fig. 5.5 Feedback from the psychologist within the development department, analysis of 
387 nouns with a minimum 5 nouns used. (Source: Winkle T, Interview Analysis) 
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5.4 Executives Focus on Responsibility for Duty of Care 


Firstly, for the executives surveyed in this study (from the areas of chassis, body- 
work and total vehicle management) it shows that their reasoning is based on 
the “topic/s” (46 nominations) they consider important within their scope of 
responsibility. 

Below are some examples: 


„Eine Möglichkeit wäre, dass man das Projekt spezifisch mal durchgeht und überprüft, 
sind alle „Themen“, die darin sind für dieses Projekt notwendig.“ (... One possibility 
would be to go through the project specifically and check if all the “topics” it contains 
are necessary for this project... ) 


„...Das „Thema“ Sensibilisierung. Am sinnvollsten mit irgendwelchen eklatanten Bei- 
spielen. Mir fällt so das Thema Toyota ein ...“ (... The sensitizing „topic“. Most 
meaningfully clarified with some spectacular examples. The Toyota topic springs to 
mind ...) 


„... wurden entsprechend auch über das Tool alle wichtigen „Themen“ ausgefüllt — 
alles sichergestellt? ...“ (... were accordingly all important “topics” appropriately 
filled out using the tool, everything assured? ...) 


The sample question mentioned is representative of the correspondingly high 
number of “question/s” (37 nominations) in relation to liability. 

Furthermore, the terms “sign-off” (29 nominations) and “standards” (24 nomi- 
nations) illustrate the main areas of interest. In addition, “responsibility” (13 
nominations), “law” (12 nominations) and “State of the Art” (10 nominations) 
are often used. This indicates that managers in particular seem to worry about the 
political-judicial situation. Mainly the responsibility — particularly with regard to 
the “sign off” of the “system/s” (34 nominations) to be developed - is of central 
interest. The term “State of the Art” is mentioned significantly frequently. This is 
an indication of their responsibility for a safe system development (see Fig. 5.6). 

Executives know about the legally binding nature of system releases and thus 
recognize the need to further establish the use of guideline-based checklists. 
However, as already mentioned, they do not regard it as an objective to force 
through the binding application based on pressure from disciplinarians above 
— or by establishing a standard. As a long-term goal, the independent and self- 
responsible processing of checklists is seen as sufficient, without the need for 
additional regular checks during system development. The acceptance is to be 
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achieved by the credible commitment of the executives and the increased involve- 
ment of the developers, through which they change “from stakeholders to parties” 
(Osmetz, D. et. al. 2004). Findings from studies confirm that the credible com- 
mitment of top management, together with the involvement of the employees, is 
decisive for successful changes (ClaBen M, Kyaf F 2010). 

This way of involving the employees would make it easier for managers to 
share responsibility for sign-off. They could rely on the fact that relevant check- 
lists had been compulsorily completed and promptly filled out. This also confirms 
that all relevant requirements had been considered during development. 

Comparing the word-nominations of the executives with the development 
engineers, it can be seen that “topic/s” (15 nominations per executive vs. 6 
nominations per development engineer) are more clearly in the foreground. By 
contrast “question/s” are more often raised by the development engineers (17 
nominations). 

Therefore, it can be concluded that executives are more accustomed to thinking 
about “topic/s” or “solutions” rather than open questions (see Fig. 5.7). 
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Fig. 5.6 Feedback from executive managers analysis from 1354 nouns, with minimum 19 
nouns used. (Source: Winkle T, Interview Analysis) 
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Fig. 5.7 Comparison of nominations of 3 executives and of 6 developers. (Source: Winkle 
T, Interview Analysis) 


5.5 Advantages of Guideline-Based Development 


Among all the interviewees, there is a general open-minded constructive attitude 
towards guideline-based support as an orientation aid with suggestions for the 
approach to the development of new innovative vehicle systems. In particular, 
less experienced engineers or developers from different disciplines can benefit 
from included reminders and the documentary support. Competent support with 
an internationally accepted document is preferred to a transfer of personal expe- 
riences among colleagues. Support with assistance of accompanying documents 
— such as Codes of Practice, which are binding not only inside the organization 
but also for all international automobile manufacturers and suppliers — is greatly 
appreciated. In the opinion of the interviewees, such a binding character leads to 
a higher level of care and increased motivation to adapt the new system to valid 
standards or to meet the requirements for system approval requirements. 

None of the developers have continuously used the Code of Practice guide- 
line during the development stages through their own initiative. A reason for the 
non-application was partly the opinion that a guideline is not necessary because 
of already existing adequate intra-departmental experience or that the fulfillment 
of relevant standards, approval regulations or sign-off tests from other depart- 
ments suffices. Corresponding checklists were only processed if active support 
was provided. The respondents considered working together with a consultant to 
be easier and more effective. In the short term, it was possible to eliminate any 
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uncertainties that arose. A further important advantage was seen by the interview- 
ees as being the dual control (four-eyes) principle at the end of the development 
process, which acts as a check to see that all main issues were considered. 

Overall, it can be seen that guideline-based development work as illustrated by 
the example of the Code of Practice has so far encountered a number of obstacles. 
The major barriers are currently the lack of awareness and oversized scope. Only 
a few developers are aware of colleagues or departments that use the Code of 
Practice. Moreover, as only a few are informed about the importance on the need 
for guideline-based development work by their own initiative, it is necessary to 
initiate the process by a responsible person. A more user-friendly form, together 
with intensive consultation work, promises a significant increase in practical app- 
lication. For the integration of a binding application into the daily development 
routine, close cooperation between the responsible executives and developers is 
required. The greater their personal responsibilities within the development of 
new systems, the more the surveyed person considered the guideline to be use- 
ful. Regular application will therefore depend on the guide being perceived as an 
advantage which will then provide motivation for its use. 


5.6 Conclusion: Structured Expert Communication 
Improves Quality 


In individual interviews, a guideline-based development structure in the research 
and development centers of German automobile manufacturers was examined. 
The investigation was inspired by the practical application of the approach based 
on the guideline-supported example of the ADAS Code of Practice. 

This identified a lot of information about the development staff’s perspective 
in relation to the sustainable development of safe vehicle systems and also their 
acceptance of structured, guideline-oriented development work. 

For evaluation of the feedback, the interviewed development staff was grouped 
into six engineers, one psychologist and three executives. Amongst other things, 
the evaluation revealed that engineers are looking for meaningful creativity when 
developing a new system under time pressure. On the other hand, the feedback 
from the psychologist within the development department confirms his prioritizing 
of the needs of drivers and the proof of the controllability of the new system. 
Executives, on the other hand, focus more strongly on the responsibility for sign- 
off, thus completing the requirements for safe and fully documented development 
work. 
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Overall, it is apparent that development engineers, psychologists and mana- 
gers are looking at the development of a new system with different perspectives, 
interests and attitudes — while in general, all of them welcomed the tool. Each 
expert contributes to the development of a reliable system through their special 
field of expertise. As explained in previous chapters, these views are important 
— since, for example, technical system limits or operating errors for end users 
could potentially lead to dangerous situations and accidents, which could lead to 
a harmful loss of image for manufacturers. 

A guideline with supportive advice “forces” all participants involved in the 
product development process to sit around a table introducing and discussing 
their different aspects in a structured way. 

Through the surveys, the developers were sensitized to the advantages of 
a guideline-based sustainable team development process. Often the employees 
themselves are the best advisors. The developers concerned are the most aware of 
the weaknesses and can initiate innovations in companies from the “bottom-up”. 

As a team developer, the author repeatedly observes disruptions in the self- 
organization of a team that result in a lack of communication or conflicts between 
individual employees. Within the team development measures carried out for 
this purpose, the author conveys the values of the Inner Development Goals 
(IDG), considering the Corporate Social Responsibility and sustainability princip- 
les of the United Nations Sustainable Development Goals (SDG) for sustainable 
development on our planet (see Annex B questions 103 to 303, see also Fig. 
A.19). 
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Consulting Concept to Develop New 6 
Systems 


The above-mentioned interview outcomes and the resulting strong interest in sup- 
porting consulting-services point to a great need for structured advice during the 
development process of new systems. The following questions supplement some 
requirements for duty of care which are exemplary listed in sections 3.2.2 and 6.2 
from the first idea until marketing. 


6.1 Intrinsic Motivation 


From the engineer’s perspective time and effort are the basis for the acceptance, 
which is necessary for the successful use of a guideline or checklists. In gene- 
ral, the developers must be convinced of the advantages of a guideline. Only if 
checklists can be integrated into the daily development routine with little loss of 
time is there a motivation for their use. For this purpose, user-friendly solutions 
for editing as well as clear, quickly recognizable questions with little scope for 
interpretation are required. The results of the interviews clearly show that the 
value of complete documentation within the product development in the event of 
a customer complaint was largely recognized. Some developers do not see any 
added value in completing the provided Excel lists in their daily work. There- 
fore, complete documentation is only possible through increased motivation or 
more pressure from the outside. It is revealed that a positive attitude towards 
encompassing process documentation is linked to responsibility. According to 
these developers with a high sense of responsibility, consistent documentation 
leads to an experience-based work process and therefore less expenditure of time. 

An obligation to produce documentation based on additional pressure from 
the hierarchy above will discourage both the developers and the managers. This 
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would lead to simple checking-off relating to all the items on the checklist rather 
than responsible and reflective processing of all work tasks. 

Therefore, competent supervision from an independent consultant from out- 
side the respective area is recommended for achieving continuous documentation 
throughout the development process according to the duty of care. Most of the 
respondents want a point of contact or personal contact person, who will always 
be on hand with competent technical or legal advice and assistance for any questi- 
ons or problems that arise. In the case of a developer, guidance, sense and purpose 
for the benefit of the individual developer are primary motivations. This means 
that a structured guideline will only be used with conviction if it is perceived as 
an advantage. 

Thus, the demonstration of the potential for optimization and increase of safety 
by means of a guide-supported development process represents a significant step. 

In addition, the survey found that the employees in the development depart- 
ments are satisfied with their work and tasks. In particular, the variety of the 
day-to-day work is perceived as particularly enjoyable and motivating by many 
developers. The work on the development of innovative driver assistance and 
automated systems requires innovation processes, which, in addition to the admi- 
nistrative tasks of the employees, require corresponding open space for creativity 
(Schleuter W, von Stosch, J, 2009). As well Ekkehard D. Schulz, also a member 
of the Supervisory Board of MAN SE, writes in his book (55 reasons to become 
an engineer) as follows: “Creativity and courage are the characteristics that every 
engineer needs” (Schulz, E-D, 2012). 

According to the statements of the surveyed developers, they are also given 
plenty of freedom to develop new ideas and exploit their creativity. This gives 
the interviewed developers an intrinsic motivation for their work. A particularly 
pronounced motivation is developing the best possible new systems, something 
which occurs when developers accompany the entire development process right 
up to the start of production. 

This is also shown by the example of Carl Benz: current developments without 
a passion for technology are unimaginably. Despite all negation, rejection and 
mockery in response to his work for days and nights — with the support of his 
wife — Carl Benz bravely believed in the future of his patent car. After further 
optimizations and due to the increased public interest, countless press articles 
subsequently dealt with the industrial success of the automobile in the first deca- 
des of the twentieth century. They show that these initial forecasts have been more 
than exceeded (Benz, Carl Friedrich, 2014). 
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6.2 Consulting Questions to Fulfill Duty of Care 


An overview of all generated consulting questions to comply with duty of care is 
attached. In the manufacture of vehicles with innovative systems, general consi- 
deration must be given to the strict liability, that the manufacturer or distributor 
of a product is liable for its proper functioning without any faults (see Ch. 4). 
Liability also exists for individual defective systems. The author’s experience in 
connection with the processing of product liability cases lead to the following 
general questions as a consultant to the development process: 


e How carefully are the tasks of development, production, sustainability and 
marketing implemented? 
What is expected beyond the legal requirements? 
Will possible damage be avoided or its effect reduced if another design is used? 
How does the system behave in comparison to the competitors (other car 
manufacturers)? 

e Were preventive and comprehensible warnings made available to prevent 
possible damage? 


As well as these questions, most of the quality standards are formulated relatively 
generally. For vehicle manufacturers, this means that concrete measures for pro- 
duct safety must be developed on their own. Furthermore, it should be noted that 
the comprehensive measures extend to several areas of responsibility within the 
company. These relate to design, production, technical documentation, purcha- 
sing, sales and service. In this respect, the management is centrally responsible 
for the overall process. 

Many different systems exist on the market that are based on different tech- 
nologies and assume different functions. The challenge is that the current safety 
level of development in respect of automated driving systems is difficult to cha- 
racterize. The developer has to check the duty of care, the current standards or 
the state of knowledge as a general state of the art. He has to decide “how safe is 
safe enough”. 

Other accompanying development guides like a code of practice also relate to 
elements of safety enhancement (see Fig. 6.1). In particular, the ADAS Code of 
Practice proposes methods for verifying the controllability of new systems. The 
application of appropriate confirmation paths for system approval is included in 
chapter 4. 

In addition, numerous other checklists and design recommendations must 
be considered for the system-specific applicability of the system that will be 
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developed. These include for instance: the ESoP-specifications for In Vehicle 
Information Systems (IVIS), internal company checklists or lists such as the “Sa- 
fety guidelines for mobile services in automotive use from the Mobile Automotive 
Cooperative Service (MACS-) MyNews-Services”. 

While ISO 26262 addresses the potential threats of a system with regard to 
functional safety as malfunctions, the specification of the safe target function is 
not considered. This is the basis of functional safety (Kriso, 2014). Nevertheless, 
the question arises as to how the target function is to be specified or developed 
so that it can be regarded as sufficiently safe. Additionally, for this purpose the 
ISO/PAS 21448 Road vehicles: Safety of the Intended Functionality (SOTIF) was 
developed. The consideration of this question in ISO 26262 has so far been limited 
to the topic of controllability with reference to the ADAS Code of Practice. These 
Guidelines can be structured in three primary driving tasks (see Fig. 6.1). 


Fig.6.1 Guidelines and related primary driving tasks. (Source: Winkle T, Based on ADAS 
Code of Practice (2010) p. 20 Figures: Prof. H. Bubb TU München (2005): Chair for 
Ergonomics) 
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A topic to be discussed is to what extent predictable or unforeseeable mani- 
pulations can lead to safety-critical effects: especially with regard to automotive 
functional safety (Kriso, 2014). 

In addition to systematic errors and random hardware errors, the enemy image 
of conscious manipulation must also be considered. With regard to automotive 
security the guideline SAE J3061 “Cybersecurity Guidebook for Cyber-Physical 
Vehicle Systems” was published in 2016 which among other things deals with the 
interaction between safety and security. 

Volume 2 of the updated standard (ISO 26262, 2018) already includes a loose 
coupling to security: 

“The organization shall institute and maintain effective communication chan- 
nels between functional safety, cybersecurity and other disciplines that are related 
to functional safety, if applicable.” (ISO 26262, 2018) Ch. 5.4.2.3. 

Therefore, the main purpose is about combining organizational communication 
channels with neighboring disciplines. In particular, the link to security is taken 
up again in the informative ISO 26262 Annex F (Guidance on potential interaction 
of functional safety with cybersecurity). However, the indications given here are 
at a quite general level. 


6.3 Conclusion: Structured Guidelines Support a Safe 
System 


The survey in the development departments shows a great need for structured 
advice during the development process including a strong interest in suppor- 
ting consulting services. Additional suggestions from established standardized 
processes such as the Toyota Production System (TPS) can be used. In order 
to maintain the general quality, the TPS describes the prevention of hazards. 
Failures due to information deficiencies and product designs that do not meet 
customer requirements can be considered as defects. Product quality should be 
monitored constantly and not only by random sampling. To achieve this, all 
employees in production and logistics must be appropriately trained and sensi- 
tized. This approach is also taken into account when applying the method Total 
Quality Management (TQM). Another method is called Poka Yoke, which means 
“avoiding unintentional errors”. 

Only when employees in organizations register that sustainable management 
is interested in their daily problems in the process and actively supports them in 
solving these problems do they realize that continuous process improvement is 
indeed desired. An exclusive result orientation causes demotivation. On the other 
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hand, a supportive and flexible process-oriented sustainable management will 
motivate employees and achieve organizational sustainability. Additional invest- 
ment in employee qualification is the decisive competitive advantage for safe 
products in successful corporations during changing requirements within the fight 
for quality and costs along the supply chain management (Benn S et. al., 2014; 
Hahn T et. al., 2014; Chopra S et. al., 2007). 

Within this consulting concept carried out to develop new innovative systems, 
the author conveys the values of the Inner Development Goals (IDG), consi- 
dering the Corporate Social Responsibility and sustainability principles of the 
United Nations Sustainable Development Goals (SDG) for globally sustainable 
development. 


The 17 United Nations Sustainable Development Goals are further guidelines 
within this consulting concept to achieve better and more sustainable new sys- 
tems for everyone. They focus on the global challenges we are confronted with, 
including poverty, inequality, climate change, environmental degradation, peace 
and justice. As a support, the Inner Development Goals (IDG) serve as a guide 
to the skills, qualities and capabilities people need to achieve the 17 Sustainable 
Development Goals (SDG). In doing so, they aim to educate, inspire and empower 
people to be a positive force for change in society and to take a more purposeful 
view of our lives and the lives of those around us. These are compatible with the 
questionnaire in Annex B (see Annex B questions 103 to 303, see also Fig. A.19). 
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Summary and Discussion 


7.1 Current agile management changes 


From the author’s observation, increasing economic pressure is requiring leader- 
ship and employee teams to become more innovative, faster, efficient, highly 
profitable and more prepared to take risks. It is no longer sufficient to work 
effectively or goal-oriented. 

This will give rise to concerns that new innovative developments using Arti- 
ficial Intelligence could lead to external control by Artificial Intelligence. This 
focuses on ensuring controllable collaboration between humans and increasin- 
gly intelligent machines. Approaches to the challenges of new developments and 
development teams in the dilemma between Artificial Intelligence, ethics and the 
legal risks are considered in more detail here using the example of Automated 
Driving. 

The automotive industry, for example, is in the progress of a fundamental 
change, as they no longer meet mobility requirements, especially in urban areas. 
As a result, many predict a disruptive change. Responses to this are new innova- 
tive developments (Dudenhöffer, 2016). One answer to this are automated driving 
systems that offer great potential for increasing safety, comfort, environmental 
pollution and efficiency in road traffic. In the long term, fully automated or 
autonomous vehicles offer many useful advantages: While driving, non-driving 
activities can be done and so this time is used efficiently. Older or physically 
handicapped people can also become mobile again. It also supports new business 
areas, especially in the area of car sharing. 

The business models differ radically. The approaches of Google, Apple, Face- 
book or Tesla do not aim for profit margins from the sale of automobiles, but 
for security and expansion of data competence, a new level of networking. The 


© The Author(s) 2022 145 
T. Winkle, Product Development within Artificial Intelligence, Ethics and Legal Risk, 
https://doi.org/10.1007/978-3-658-34293-7_7 


146 7 Summary and Discussion 


customer of the future is increasingly looking for new mobility services to get 
from A to B. 

Until now, the German road traffic regulations (StraBenverkehrsordnung StVO) 
had firmly established the permanent controllability of a vehicle. According to 
§ 3 Section 1 StVO, for example, the driver may only drive so fast that he is 
able to control the vehicle at all times. Initiatives at UN level are continuing to 
drive forward the “ALKS - Automated Lane Keeping System” with future speed 
extensions. Similarly, the German Bundesrat has passed a law on autonomous 
driving in 2021. As described in section 4.7.1, some cases are already known and 
published, where unexpected or missing reactions of automated systems occurred. 
However, after fatal traffic accidents (for example Tesla „Autopilot“ 2016/2018, 
Uber self-driving vehicle, 2018) automated vehicles must face the discussion of 
the dilemma between innovation and consumer protection, which leads to a dee- 
per need for research according to the Requirements to Develop Safe Automated 
Vehicles. 

Previous safety methods will no longer be sufficient for the verification of 
complex automated driving functions. Therefore, the requirements to develop safe 
automated vehicles between the dilemma of innovation and consumer protection 
were examined in more detail in this study. 


The following topics have been processed: 


— Existing development specifications for use in the development of partially, 
highly and fully automated vehicles (see chapters 4, 4.6) 

— Instruments to ensure the required quality of the safety process of automated 
vehicles (see chapters 2, 3, 5, 6) 

— Expectations of potential users and developers for the product safety of 
automated vehicles (see chapters 2, 4, 4.5) 

— Increasing the product safety of automated vehicles by taking expert experi- 
ence into account (see chapters 4.7, 5) 


7.2 Findings 


This book demonstrates that both professional knowledge with sustainable leader- 
ship decisions and concepts of psychological development with mindfulness are 
growing in importance. It further confirms that development work using the exam- 
ple of automated driving functions with Artificial Intelligence will be successful 
through close structured support and a sustainable Leadership between teams of 
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experts. Such close teamwork including the knowledge from area-wide accident 
data in addition to other field studies (Driving Simulator, Natural Driving Stu- 
dies, Field Operational Studies), legal framework conditions with liability cases 
and validation methods will support the development of safe automated vehicles. 
In the future, the main focus will be on developing the level of safety that auto- 
mobile manufacturers have to ensure. Finally, court decisions will decide on the 
permitted risk in concrete cases. A definition of a permitted risk would be suitable 
to structure and limit the criminal liability of manufacturers of automated systems 
appropriately in the future. 

The usage of the final consulting concept (including feedback from the deve- 
lopment departments and the checklist in Annex B) developed in this book is a 
way to reduce the risk of criminal consequences for the company plus the threat 
of prison punishments for individual employees. The concept supports the deve- 
lopment of an automated vehicle (in the context of what is technically practicable) 
as safely as possible. 

With the support of this checklist concept, the developers have resources and 
common understanding to reduce criminal consequences to an absolute mini- 
mum. It demonstrates that the most appropriate procedures have been applied 
in development, including risk identification, risk assessment, and assessment 
methodology. 

Initially, the exemplary findings of traffic accident research in chapter 2 indi- 
cate that human error — with mainly information reception limits of almost 60 
percent — seems to be the main cause of road accidents. In the first instance, 
this raises great expectations for the benefit of automated vehicles. However, esti- 
mating the actual safety potential of highly and fully automated vehicles from 
accident data, therefore, requires a differentiated comparison of the overall per- 
formance of man and machine. Subsequently, this calls for detailed information 
about functional characteristics and technical limits, planned for mass production. 

Before series development is considered, driverless vehicles, supported by 
automated systems, must at least correspond to the driving ability of an attentive 
human driver to further reduce the number of road accidents. 

For example, development engineers are particularly faced with technical chal- 
lenges regarding complex traffic situations. This applies, for instance, to technical 
limits and time-critical situations, such as a child running suddenly in front of a 
vehicle or difficult weather conditions. Only when these technical challenges have 
been overcome is a large-scale rollout of marketable, fully automatic vehicles 
likely to be realized. 
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The potential of information from traffic accident data is not yet completely 
used. Previous accident analyses are usually not nationwide and limited by cri- 
teria. Predefined analysis criteria of accident research teams are usually limited 
to certain locations, times, special collision conditions (such as airbag deploy- 
ment, involvement of injured persons, special pedestrian accidents, vehicle types 
or other general conditions) and must therefore first be weighted for statistical 
relevance. For example, area-wide minor accidents with minimal contact and 
minimal damage to property (see Sect. 3.3.2.5 Examples for minor and no damage 
to property), or traffic violations that come very close to “near misses” are not 
investigated in depth. 

To receive real-world test scenarios for the first time 1,286,109 state-wide 
police-recorded accidents were analyzed concerning challenging information 
reception limits in chapter 3. The results indicate 374 scenarios with bad weather 
traffic conditions (fog, glare/blinding sun, rain, black ice (snow/ice), snowfall, 
blinding oncoming traffic, visual obstruction) that are also relevant for testing 
automotive sensor systems. 

In particular, a fatal pedestrian accident scene was examined at the accident 
site under similar conditions concerning the perception capabilities in comparison 
of human and machine. The situation shows that such indicated scenarios have 
to be considered for sign-off testing after the careful selection of sensor concepts 
and the development of algorithms. 

Consumers require the highest, state of the art levels of safety for new tech- 
nologies but those demands for technical perfection are unrealistic and 100% 
fault-free operation is not possible. A market introduction of automated vehic- 
les accompanies the risk that court decisions will be passed more frequently to 
design faults since a certain risk of accidents can never be completely excluded. 
However, the liability of the manufacturer is excluded if the defect could not be 
detected according to the state of science and technology at the time when the 
manufacturer placed the product on the market. The manufacturers are obliged to 
observe their products. This can be supported by the analysis of accident events 
as described in chapters 2 and 3. 

Thus, the results of chapter 4 show, that interdisciplinary coordinated develop- 
ment, and sign-off processes are necessary. A reliable evaluation for production- 
ready solutions requires comparable risk assessments and safety proofs, e.g. by 
simulating relevant scenarios including the planning of field tests from globally 
available and combined accident, traffic flow, weather and vehicle operating data. 

This also covers compliance with legal and licensing regulations, the identi- 
fication of new ways of risk distribution and the creation of new compensation 
systems, because, with the increasing use of automated vehicles, the manufac- 
turer’s liability may also increase. Today the standards do not cover functional 
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disabilities for instance misinterpretation of objects, traffic situations and resulting 
false positive system interventions. 

Qualitative interviews in development departments of German automobile 
manufacturers show that structural, legal and regulatory support by independent 
experts in conjunction with sustainable leadership as well as a guideline-based 
structure can make a significant contribution to the safe development of new inno- 
vative systems using Artificial Intelligence. The results of this survey in chapter 5 
show that the main challenge for the employees of the development departments 
is to develop these new systems in a customer-oriented, safe and controllable 
manner for the vehicle users: 

It turns out that engineers are looking for meaningful creativity although they 
work under tremendous time pressure when developing a new system. In contrast 
to that, executives are primarily focused on the responsibility for liability and 
a timely sign-off. They expect the fulfillment of the safety requirements and a 
completely documented development process. This is presumed because they are 
afraid to be sued for dangerous situations and accidents due to technical system 
limits or operating errors at the end-user, which can also lead to a painful loss of 
image for the manufacturer. 

In particular, the survey showed that a structured guideline with supporting 
advice forces the parties to come together on an interdisciplinary basis, to clearly 
present and discuss their diverging aspects and to decide according to the duty of 
care. 

One effect of the survey was that it sensitized the interviewed development 
departments to the advantages of a guideline-based development process. The 
interviews also show that usually, the developers themselves with their techni- 
cal expertise develop safe automated vehicle systems when they are motivated to 
engage in interdisciplinary exchange with other experts from neighboring disci- 
plines. Design engineers know the weaknesses of their new technical system best 
and can initiate innovations “bottom-up” in companies. 

Additionally, the interviews confirm that a guideline-based approach enables 
the affected developers to clearly and neutrally point out risks with corresponding 
proposals for measures because they know the limitations of their new technical 
system best. 

A selection of 303 key questions (Annex B) from technical requirements, 
sustainability, Corporate Social Responsibility, up to criteria for communication, 
team work, leadership qualifications as well as Inner Development Goals sup- 
plemented by a consulting concept in chapter 6 supports the establishment of 
standardized processes and consulting-services. 
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7.3 Integration of findings 


A mindful corporate team management, within new working conditions (New 
Work, Hybrid Work, Flexible Work) including Artificial Intelligence, must show a 
sustainable orientation for new developments. A sustainable orientation includes 
knowledge of the existing objective facts, the possibilities and risks of Artifi- 
cial Intelligence, as well as the ethical and legal implications. According to this, 
political, economic and social decisions must be aligned in an equally sustaina- 
ble manner. Artificial Intelligence can support managers in linking knowledge 
and designing complex functions, such as automated driving. In this context, 
management must ensure that new innovative product ideas — with the help 
of comprehensive information on secured development methods, production and 
release processes, through to marketing and product monitoring — are carried out 
with the intention of humane use. 

This book also demonstrates using the example of automated driving that suc- 
cessfully interacting teams can reduce the criminal consequences for the company 
and the individual developer to a minimum if guideline-based checklists with 
relevant standards and methods are applied. By integrating the findings, it will 
be supported in dealing adequately with the new challenges facing automobile 
manufacturers and their developers in the field of functional safety of complex 
electrical/electronic systems and software topics to prevent from the criminal law 
punishments of a “defective product”: 


1. Successfully self-reflected teams benefit from a guideline-based work process 
including requirements and consumer expectations: 
The basic prerequisite for successful teams are self-reflective team members who 
work together successfully (see checklist in Annex B from question 102 with inner 
development goals). Only in a successfully interacting team of experts Original 
Equipment Manufacturers can cope with new technical developments, legal deve- 
lopments on product liability, international conflicts, ethical and social requirements 
in connection with economic risks. This means that very high demands for quality 
and safety are placed on the development from product idea to marketing, whereby 
customer expectations on the functionality and safety of use with a correspondingly 
strong influence on traffic safety are of primary importance. Events in recent years 
have publicly shown that failure to comply with specifications can result in legal 
responsibility for developers and executives. 

Predictions according to the ADAS Code of Practice and current questionnai- 
res of more than 3000 people in Germany, the USA and China confirm that the 
expectations for functional safety are rising with an increasing level of automation 
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(see Annex Fig. A.2 and A.4 to A.6). Therefore, an extension of the established test 
procedures is necessary to enable automated driving levels and at the same time to 
consider the entire range of possible traffic situations as comprehensively as possible 
in the safety tests. 

For the development process from the first idea to the development, this ela- 
boration recommends interdisciplinary, harmonized safety and test procedures. 
In this context, the further development of current internationally agreed stan- 
dards including tools, methodological descriptions, simulations and guidelines with 
checklists is recommended. These will represent and document the practiced state 
of science and technology, which must be implemented in a technically suited and 
economically reasonable way. 


2. Successfully development teams benefit from the implementation of compre- 
hensive measures for product monitoring: 

Opportunities for product monitoring must be used. This includes, for example, 
the monitoring of operational data, road accident events, and internet forums. A 
judgment of the Federal Court of Justice (BGH) as early as 1987 stated that in 
future companies must not only monitor the reliability of their products in practice, 
but above all draw their customers’ attention to risks in daily operation — including 
those arising from the use or installation of accessories from other manufacturers. 

The potential of information from nationwide databases and traffic accident data 
is far from fully explored. Previous accident analyses are mostly limited by criteria. 
Certainly, traffic accidents only represent a part of the traffic situation, but they 
play an important role in terms of consumer protection with civil and criminal law 
implications. Furthermore, small accidents with minor contact come very close to 
“near-accidents”. An analysis of traffic violations, which has not been discussed 
here, could also provide valuable information. 

For the development and validation of safe automated vehicles with reasonable 
effort, the author recommends test methods that consider a combination of world- 
wide traffic accidents, weather-, vehicle operating data and traffic simulations. This 
enables a realistic evaluation of internationally prospective traffic scenarios with 
statistically relevant real traffic scenarios as well as fault processes and stochastic 
models for controlling critical driving situations. These must be combined with 
virtual laboratory or driving simulator tests. 

A representative driving situation catalogue including challenging and bad wea- 
ther situations is recommended, which is simulated for all manufacturers according 
to the same specifications and the results are made available to the official institu- 
tions. This procedure ensures transparency of the overall effect of new automated 
driving functions in real traffic. 
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When designing driving strategies for behavioral decisions, the focus should be 
on completely avoiding dilemma situations, for example by designing vehicles for 
a correspondingly low-risk driving strategy. 


3. Successful teams are advised to engage an independent consultant beyond 
the respective development area: 
The interview partners would like to have a neutral face-to-face contact person 
outside ofthe development department who is always available to provide competent 
technical or legal advice in the event of questions and arising problems. 
Competent support by an independent consultant from outside the respective 
area is recommended by all developers being interviewed. This adviser should sup- 
port decisions and the accompanying documentation during the entire development 
process in conformity with the duty of care regarding to the central question: 


“Is the developed system safe enough for market introduction?” 


4. Successful interacting development teams benefit from constant monitoring 
of social, ethical and legal issues 

The author’s consulting work within corporate groups shows: Boards of directors and 
managing executives have recognized that Corporate Social Responsibility (CSR) 
and sustainable management have a positive impact on corporate success worldwide. 
The Sustainable Development Goals (SDGs) of the United Nations, including the 
Inner Development Goals (IDGs), are a valuable contribution to this. 

For example, changes in responsibilities regarding road traffic are indicated 
by the analysis of German court decisions on pedestrian accidents since 2004 
(See section 4.6.4 and Annex A: Change in jurisdiction on the responsibility for 
pedestrian accidents). The liability for damages in pedestrian accidents increasin- 
gly lies with the owner and therefore in the case of fully automatic functions in the 
future probably with the manufacturer. As a result, our current risk awareness in road 
traffic with regard to risk acceptance in automated driving levels must be called into 
question. An example for this is the child running between parked vehicles. In this 
context, it must be questioned whether speeds of 50 km/h or more are appropriate 
in traffic areas with visual obstructions, such as parking vehicles. 

Conventional dynamically adapted interactions of today’s mobility can also be 
questioned in terms of whether fully automated vehicles must always behave in 
accordance with traffic regulations. Today’s mobility is based on the fact that in 
some traffic situations, human pragmatism makes decisions that are weighed up 
against traffic rules in order to maintain the flow of traffic. An example of this is the 
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continuous road lane marking line that needs to be crossed to overtake a bike or a 
broken vehicle. 

Traffic would probably come to a complete standstill in some places if rules were 
not broken. Therefore, the challenge is to program the vehicle software in such a 
way that it considers the illegal behavior of other road users and possibly breaks its 
own rules to reactivate the traffic flow. This leads to the recommendation that in the 
future the developers make their ethical decisions regarding the programming of the 
software within society more transparent, because this is where the opinion is formed 
which system reactions with corresponding risks are accepted. As long as not all 
rules for behavioral decisions have been made concerning how automated vehicles 
should behave in specific situations (when, how, why (or not) warn, steer, brake), 
the intensive dialogue between developers and system providers with society is 
recommended. This applies in particular to the performance of Artificial Intelligence 
self-learning systems. Deeper Neural Networks (DNN) with a depth of more than 
150 layers are increasingly easier to optimize today and can improve their precision 
due to a significantly increased depth with errors of less than 4% in the classification 
task. As a result, the object recognition data set improves significantly (He K et. al., 
2015, 2016). 

So far, not all general requirements have been defined as to how a vehicle should 
behave in specific situations. The discussion about the safe state raises new ques- 
tions too. Furthermore, it should be mentioned that automation, combined with 
connected networking, Artificial Intelligence and Deeper Neural Networks, offers 
new opportunities for cybercrime, another topic that is not discussed in detail here. 

The concluding outlook on the current state of science again points to the limits of 
testability. While trivial systems can be tested, the challenge increases for complex 
systems. The Department of Motor Vehicles (DMV) in the USA, which is compara- 
ble to German road traffic authorities, publishes annual “Disengagement Reports”. 
This includes, among other things, how often humans had to take corrective action 
during testing of fully automated vehicles or when the system returned control to 
the safety driver. 

These results indicate on one hand the successful commitment of the Google 
subcompany Waymo and on the other hand the need to optimize the robustness 
of fully automated vehicles. While Apple’s test drivers had to intervene a total of 
871.65 times per 1000 miles traveled (one intervention per 1.1 miles), Waymo’s test 
drivers only intervened 0.09 interventions per 1000 miles (one intervention every 
11,154 miles), (see Annex Fig. A.7). 
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Annex A: Change in Jurisdiction 
on the Responsibility for Pedestrian 
Accidents 


According to Germany § 3 Abs. 2 a StVO (the vehicle driver has to behave 
towards children, people in need of help or elderly people, especially by reducing 
the driving speed and by being ready to brake, in such a way that a danger to 
these road users is excluded) an earlier reaction or slowing down is required. 

In the following, the jurisdiction on the responsibility for pedestrian accidents 
has been researched on examples since 2004. There has been a significant change 
since the Federal Supreme Court (Bundesgerichtshof — BGH) ruling of 2014. 
The trend shows that the liability for damage in pedestrian accidents could in 
future rather remain with the owner and, in the case of fully automated functions, 
probably remain with the manufacturer. It is recommended to pay attention to the 
further jurisdiction. 


1. Regensburg Regional Court (Landgericht - LG) 
Reference number: 1 O 1708/04, dated October 28, 2004: 
In the event of an accident involving a pedestrian or cyclist, the operational risk 
can be reduced to the fault of the non-motorized road user, even if there was no 
force majeure. 

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 
operational hazard is receding 
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2. Kammergericht (KG) corresponds to the Oberlandesgericht (OLG) Berlin 
Reference number: 12 U 138/05, dated June 06, 2006: 
Pedestrians who wish to cross a roadway outside pedestrian crossings or the 
markings of traffic lights must carefully ensure that the roadway is clear. If the 
crossing pedestrian collides with a motor vehicle, this indicates gross fault on the 
part of the pedestrian, in particular insufficient observation of the traffic situation, 
behind which the operational hazard of the motor vehicle regularly recedes. 
Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 
operational hazard is receding 


3. Kammergericht (KG) corresponds to the Berlin Higher Regional Court 
(OLG) Reference number: 12 U 143/08, dated February 26, 2009: 
The pedestrian must pay attention to the privileged traffic on the road and may 
not try to cross the road in front of an approaching vehicle. In any case, if there is 
heavy traffic, pedestrians must expect that vehicles approaching in the right lane 
will also approach in the left lane. If the pedestrian nevertheless takes a fast step 
onto the road, he acts with gross negligence and the result is that the operational 
hazard of the vehicle from which he is approached in the left lane is completely 
receded from the pedestrian’s own fault. 

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 
operational hazard is receding 


4. Kammergericht (KG) corresponds to the Berlin Higher Regional Court 
(OLG) Reference number: 12 U 178/09, dated June 24, 2010: 

If a vehicle driver injures a 16-year-old pedestrian who is on the roadway when 
reversing into a parking space with the left side of the vehicle swinging out (who 
had previously crossed a barrier in violation of § 25 Section 3, 4 StVO to cross 
the roadway at an unauthorized point and had also noticed that the vehicle would 
reverse into the parking space) the liability for operational risk is subordinated to 
the gross negligence of the pedestrian. 

A duty of a motorist parking backwards, who had checked the space behind 
him before starting to reverse (to check the space to the left of his vehicle again 
before entering the parking space to ensure that there is no other road user there) 
does not apply to a pedestrian acting in gross violation of traffic regulations, 
which he should not have expected. 

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 
operational hazard is receding 
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5. Köln Higher Regional Court (Oberlandesgericht - OLG) 
Reference number: 7 U 103/10, dated November 25, 2010: 
The possible slight fault of a motor vehicle driver and the operational hazard of 
the vehicle completely recede behind the gross own fault of a heavily drunken 
pedestrian, who lies darkly dressed on the dark road in the dark. 

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 
operational hazard is receding 


6. Düsseldorf Higher Regional Court (Oberlandesgericht - OLG) 

Reference number: I-1 U 255/10 dated November 15, 2011: 

The fact that pedestrians at an intersection controlled by light signals may only 

cross the road under green light is an elementary rule of behavior. Running onto 

the road in red is highly negligent. The operational hazard of the vehicle entering 

the intersection at green is secondary to the gross negligence of the pedestrian. 
Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 

operational hazard is receding 


7. Regional Court Essen (Landgericht — LG) 
Reference number: 3 O 358/10 dated February 27, 2012: 
If a pedestrian inattentively crosses the road without paying attention to approa- 
ching vehicles and is covered by a preceding vehicle for the claimed driver, the 
accident is unavoidable for the driver and the operational hazard of the vehicle 
driven by him behind the fault of the pedestrian completely recedes. 

Note: Old common jurisdiction (the responsibility lies with the pedestrian) the 
operational hazard is receding 


8. Federal Supreme Court (BGH) 
Reference number: VI ZR 308/13 dated August 19, 2014: 
According to $ 9 StVG, $ 254 BGB, the compensation claim of the pedestrian, 
who is not subject to strict liability, may only be reduced if it is established that 
the pedestrian has caused or contributed to the damage through his or her conduct. 
This requires the conviction of the court according to the standard of proof of $ 
286 ZPO. The burden of proof for a misconduct of the pedestrian lies with the 
driver and owner of the vehicle. 

Note: Change in jurisdiction from Federal Supreme Court — the responsibility 
lies with the driver and the holder of the vehicle and may only be reduced 
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9. Regional Court (Landgericht - LG) Berlin 
Reference number: 41 O 174/14 dated July 02, 2015: 
If an 11 years and 9 months old girl enters the road without paying attention to 
any approaching motor traffic and an accident occurs with an approaching motor 
vehicle, the proof of the first appearance speaks for a gross fault of the pedestrian 
with the result that the operational risk of the motor vehicle is less than the fault 
of the girl. 

Note: Again, old common jurisdiction (the responsibility lies with the pede- 
strian) the operational hazard is receding 


10. Higher Regional Court (Oberlandesgericht - OLG) Munich dated January 
12, 2018: 10 U 1616/17 

1. According to the constant jurisdiction of the BGH (compare e.g. decision from 
19. August 2014, Case Number: VI ZR 308/13, Legal Weekly Magazine NIW 
2014) the claim for compensation of the pedestrian, who in contrast to the defen- 
dants does not meet any liability for danger, may be shortened according to $ 9 
StVG, § 254 BGB only if it is certain that he or she caused the damage by his or 
her behavior or was partly to blame. 

(2) Full liability, without considering the operational risk, shall be taken by 
the driver and the holder of the vehicle even if it remains unclear how the traffic 
light was switched when the pedestrian crossed the road. 

Note: With reference to change in jurisdiction from BGH 2014 - the respon- 
sibility lies with the driver and the holder of the vehicle and may only be 
reduced. 


11. Higher Regional Court (Oberlandesgericht — OLG) Düsseldorf: 
Reference number: I-1 U 196/14 dated April 10, 2018: 
In the event of a pedestrian accident, ignoring the operational risk only comes into 
consideration in exceptional cases. Even gross negligent behavior is not sufficient. 
In the absence of further worsening circumstances, it must also be considered 
whether the accident was unavoidable for the driver. If even an ideal driver could 
not have prevented the accident with a more forward-looking and extra cautious 
driving style, this suggests that the liability from $ 7 StVG should be completely 
ignored. 

Note: With reference to change in jurisdiction from BGH 2014 - a more 
forward-looking and extra cautious driving style is necessary. 


Annex B: Summarized Questions 
for Developers 


The following questions are fundamental for consulting the general develop- 
ment process: 
1) How carefully are the tasks of development, production, sustainability and 
marketing implemented? 
2) What is going beyond the approval criteria? 
3) Will a possible damage be avoided or its effect reduced if another design is 
used? 
4) How does the system behave in competition? 
5) Do warnings prevent possible damage? 


General Questions for safe automated vehicles are covered in the respective 
chapters: 


6) Which risks are known from accident research? (chapter 2, 3) 

7) What will be technical acceptable? (designing complex technology, safe 
limits of sensor technology, system safety) (chapter 2, 3, 4) 

8) Which benefits can be placed to introduce such systems? (chapter 2, 3, 4) 

9) How can accident research be used for a safety (risk) assessment? 
(chapter 2, 4) 

10) How safe is safe enough to bring the new system in the market? (chapter 2, 
4,5) 

11) How to prove safety of usage? (fuzzy logic of human factors, controllability) 
(3, 4) 

12) How to prove reliability? (customer satisfaction) (chapter 3, 4, 5) 

13) What is legally acceptable? (chapter 4) 

14) Which conditions support the development team to develop a safe system? 
(chapter 4, 5) 
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Further questions also arise beginning from level 3 systems and above to 
improve product safety: 


15) 
16) 
17) 
18) 
19) 


20) 


21) 


22) 


23) 


24) 
25) 
26) 


27) 


At what level of vehicle guidance does an internal, external group or the 
automated vehicle itself have the ability to intervene? 

At what level of vehicle management does an internal, external group or the 
automated vehicle itself have the authority to intervene? 

Which instance is dominant in the conflict of simultaneous intervention? 
How is the hierarchy between the instances defined? 

Is the autonomous vehicle allowed or does it have the possibility to 
disregard applicable rules in order to avoid greater damage? 

Which precautions can the developer take to avoid critical traffic situati- 
ons, while the driver was allowed to deal with secondary or tertiary driving 
tasks according to the function offered? What precautions can be taken for 
possible malfunctions? 

Which precautions can be taken to prevent the driver from activating the 
system if it is not appropriate? Under what conditions should a secondary 
or tertiary driving task or non-driving activity be prohibited? (e.g.: “Tesla 
judgement” Ref.: 1 Rb 36 Ss 832/19) 

Which possibilities are available to get the driver back into the driving task 
or to bring the vehicle into a safe state if the driver does not respond to the 
warning of the system within the specified time period? 

Which measures must be taken if the automated function expects a take 
over from the driver during a time period which is less than the specified 
time period? 

Can it be assumed that the system can handle a critical driving situation just 
as collision-free as the driver could have done? 

Is it foreseeable that the system will not react as correctly as a driver would 
have done and the severity of a collision will increase as a result? 

Were maneuvers of other road users considered that could indirectly cause 
a collision? 

Is it possible that the vehicle breaks the traffic rules while the driver was 
not responsible for monitoring the driving task? 


The following two questions focus on specific examples from accident research: 


28) 


29) 


How significant are analyses and findings from road accident research for 
the introduction of automated vehicles? 
How can potential safety benefits of automated vehicles be proven? 
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An unambiguous understanding of acceptable risks is the basis for decisions 
on automated system designs: 


30) Where do relevant risks caused by automated driving levels come from? 

31) What is an acceptable risk of automated driving technologies that can be 
determined and evaluated (Artificial Intelligence, Artificial Neural Networks 
Machine Learning, Deep Learning, Blockchain Technology, Trajectory 
Planning, Training Data Set)? 

32) Is the assessment of risk based on frequencies or probabilities (Relative 
Errors, Statistical Filtering e.g. Kalmann-Filter)? 

33) How is the risk perceived? 

34) Will the risk be accepted or not? 

35) Which overall risk is accepted in the respective area? 


The questions for testing automated vehicles: 


36) How should vehicles with advanced automated systems including driverless 
vehicles prove that they can handle a sufficient number of traffic situations 
safely? 

37) Where are the limitations of testing via simulation? 

38) Which factors support a safe development, validation and testing? 

39) What is the significance of bad weather conditions, regarding the introduc- 
tion of automated vehicle technology? 

40) Which scenarios are relevant for the development, evaluation and testing of 
automated vehicle technology? 

41) Will the system be tested within performance limits? 

42) Will the system be tested at performance limits? 

43) Will the system be tested beyond performance limits? 

44) Will functional safety be examined during system failures? 

45) Will functional safety be examined after system failures? 


Information Access: 
46) Is the relevant information of the traffic situation objectively accessible to 


the sensor? 
47) Was the field of vision clear? 
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Information Reception 


48) Are the sensors able to detect relevant objects? 
49) Are the selected sensor techniques able to detect the required traffic 
situations properly? 


Data Processing 


50) Is the sensor and information processing system able to correctly interpret 
the traffic situation according to the available information? 


Objective Target 
51) Is the system able to react appropriate to the traffic situation? 
Operation 


52) Is the information processing system able to carry out the decision into 
operation properly? 


Questions according to the system definition: 


53) When should the automated function be reliably assured (normal function)? 

54) In what situations could automation be used in ways for which it is not 
designed for (misinterpretation and potential misuse)? 

55) When are the performance limits for the required redundancy reached? 

56) Are dangerous situations caused by malfunctioning automation (failure, 
breakdown)? 


Questions for legal risk assessment: 


57) Which risks exist for product liability claims when autonomous vehicles do 
not meet the requirements of a safe product? 

58) Which failures may lead to product recalls? 

59) Will the brand image be sustainably damaged, if the automated vehicle 
technology does not comply with consumer expectations? 
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Questions to avoid civil and criminal claims: 


60) Has the new system already been checked for possible failures prior to 
development, considering the risks, probability of occurrence and benefits? 

61) Can the vehicle be type-approved in the intended technological specification 
in order to be licensed for safe road traffic use? 

62) Which requirements have to be considered when developing and marketing 
safe automated vehicle technology? 

63) Under what conditions is an automated vehicle considered defective? 

64) How is the duty of care assured during development? 

65) What will change legally if a machine drives instead of a driver? 


Central Question for Validation: 


66) Did we build what we promised? 
(Validating and testing during or at the end of the design process is to deter- 
mine whether it meets customer expectations and specified requirements) 


Essential questions from previous product liability cases: 


67) What measures beyond purely legal framework were taken to 
assess/minimize risk, damage, and hazards? 

68) Are generally accepted rules, standards, and technical regulations compre- 
hensively checked? 

69) Was the system developed, produced, and sold with the required duty of 
care? 

70) Could the damage that occurred have been avoided or reduced in its effect 
with a different design? 

71) How do competitors’ vehicles behave, or how would they have behaved? 

72) Would warnings have been able to prevent the damage? 

73) Were warnings in the user manuals sufficient or are additional measures 
required? 

74) Was a reasonable level of safety achieved with appropriate and sufficient 
measures in line with state of the art and science at the time it was placed 
on the market? 

75) Was or is the automated vehicle being monitored during customer use? 
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Questions arising in an ethical context: 


76) Are there any requirements for controllability, transparency and data auto- 
nomy? 

77) Which technical requirements are necessary to legally protect the individual 
human being within society, their freedom of development, their physical 
and mental integrity, and their right to social respect? 

78) Will the automated vehicle avoid accidents as good as practically possible? 

79) Is the technology designed according to its respective state of the art in such 
a way that critical situations do not arise in the first place? 

(including dilemma situations in which an automated vehicle is faced with 
the decision of having to implement one of two evils that cannot be weighed 
up) 

80) Has the entire spectrum of technical possibilities been used and conti- 
nuously been further developed? 

(Limitation of the area of operation to controllable traffic environments, 
vehicle sensors and braking performance, signals for endangered persons 
up to hazard prevention by means of an “intelligent” road infrastructure) 

81) Isthe development objective focused on significantly increasing road safety? 

82) Was defensive and safe driving already considered in the design and pro- 
gramming of the vehicles — especially with regard to Vulnerable Road Users 
(VRU)? 


Questions related to the activities for functional safety management: 


83) Are people responsible for the specified safety cycle named? 

84) Are the developers and quality managers informed about the scope and 
phases? 

85) How are the proofs for quality and project management provided? 

86) Were the ASIL’s derived correctly and assigned correctly based on the risk 
of a dangerous event? 

87) Which criteria are used to decide whether it is a new development or just a 
product takeover? 

88) How are the results of the risk analysis documented and communicated? 

89) Which processes are used to support hardware development? 

90) Were adequate measures taken to avoid systematic errors in highly complex 
hardware? 

91) Which activities were defined for all V-Modell phases? 
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92) What ensures that only the desired functions, but no unwanted functions are 
included? 
93) Which measures ensure that the integrated software is compatible with the 
software architecture? 
94) Have the required methods been applied for the ASIL to be achieved in 
accordance with the design, the software and hardware components used? 
95) Are relevant methods intended for test cases to be tested? 
96) Are necessary maintenance schedules and repair instructions created? 
97) Which requirements must be fulfilled for a project safety plan? 
98) How are changes to safety-relevant components analyzed and controlled? 
99) Is a sufficiently independent auditor or assessor integrated into the develop- 
ment process? 
100) Are the necessary processes documented for all project participants? 
101) How is the final system and application safety documented? 
(see Annex Fig. A.3, example documentation sheet of the ADAS Code of 
Practice) 


Detailed questions on team communication practices regarding Sustainable 
Development Goals (SDG) and Inner Development Goals (IDG): 


102) Is there a possibility to solve conflicts through dialogue and non-violence 
instead of war? 

103) In which areas should communication be clearer, more direct, more honest, 
and more open? 

104) Does teamwork ensure a positive working atmosphere and cooperation 
based on trust? 

105) Is a trust-based cooperation between the team and the management ensured? 

106) Do team members get a clear sense of belonging for a common we-feeling 
and team spirit? 

107) Are team members perceiving common problems and clear leadership 
within teamwork? 

108) Is there an adequate balance between giving and taking among team 
members? 

109) Can willingness to cooperate and team spirit be promoted to increase the 
operating results of the team? 

110) Is there a deep desire to improve for more successful teamwork? 

111) Do team members understand the need for self-organization as a common 
challenge in performing their tasks? 
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112) Is the work environment or the spatial psychology suitable for a sense of 
well-being for performance and communication skills within the New Work 
requirements? 

113) Does the work environment support an individual’s ability to concentrate, 
creative thought processes and space for recovery to be able to regenerate 
after challenging stresses? (Space for rest & concentration, space for crea- 
tivity, space for meetings, space for communication, space for food intake, 
space for the senses, space for movement and socializing) 


Detailed questions regarding the skills and behavior of team leaders: 


114) Can team members trust their team leaders? (People are judged within 
seconds on warmth, social behavior, and essential to survival, whether a 
person deserves your trust; see Harvard Prof. Amy Cuddy in: Presence: 
Bringing Your Boldest Self to Your Biggest Challenges) 

115) Can team members respect their team leaders? (Persons are judged only 
in the second step on competence, strength, and confidence “body-mind 
effects” in moments of stress; see Harvard Prof. Amy Cuddy in: Presence: 
Bringing Your Boldest Self to Your Biggest Challenges) 

116) Do the managers have a broad overview and are they able to differentiate 
emerging conflicts, contradictions, tensions, and ambiguities? 

117) Was a team development concept been developed based on previous 
knowledge? 

118) Is there the leadership competence to jointly find out which team members 
can most competently complete a currently urgent task and to give them the 
necessary responsibility? 

119) Is the permanently higher performance of individuals for the whole team 
result recognized? 

120) Does disciplinary or lateral leadership have priority as a central control 
function, and does it exercise this priority appropriately? 

121) Does the leadership stand by its function and is it appropriately and 
transparently legitimized? 

122) Can the applied type of leadership have an impact, influence and be accepted 
in its special function? 

123) Does the leadership take responsibility and is it also prepared to make 
controversial, unpleasant decisions? 

124) Are the managers mindful, flexible, react moderately and remain meaning- 
fully persistent? (see Fig. A.19) 
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125) 


126) 


127) 


128) 
129) 


130) 


Do managers have experience in modern leadership principles of systemic 
thinking and practice from systems theory? 

Do managers integrate scientifically based models of thought and action 
from systems theory across interdisciplinary action disciplines? (for exam- 
ple, from sociology, philosophy, cybernetics, biology, chaos theory, psycho- 
logy, communication theory or neuroscience) 

Are systemic perspectives with the complex team interaction patterns consi- 
dered in addition to the consideration of individual persons or causes? (see 
Fig. 4.13) 

Are there complaints of disruptions in the team’s self-organization due to 
lack of communication or conflicts between individual employees? 

Is it intended to optimize the competencies of individual team members in 
addition to the competencies of the entire group? (e.g. communication) 

Is there any indication of a leadership vacuum? 


Detailed questions regarding team development and organizational develop- 
ment support from an internal or external consultant: 


131) 
132) 


133) 
134) 
135) 
136) 
137) 
138) 
139) 
140) 


141) 


Was any consideration given to hiring a moderator? 

Is it possible for the executive manager to engage an internal or external 
consultant to support him or her in team development? 

Which methods are most suitable? (for example, training, coaching, mode- 
rated workshops, feedback techniques, outdoor training) 

Has it been clarified which members from the team and how it has been 
working so far in order to work out a team development concept? 

Has it been clarified from which type and background the members of the 
team are formed? 

In which way has the team worked so far? (What is going wrong and why? 
What needs to be improved? etc.) 

Have rules for working together been jointly developed within the team and 
agreed upon? 

Has a guardian been engaged to ensure compliance with the agreed 
communication rules? 

Was each team member rotated as a watcher from an observer position over 
communication and interaction? 

Has a joint feedback session on the implementation of communication been 
established in the team on a regular basis? 

Has an internal and possibly also a neutral external consultant been 
consulted in the event of conflicts? 
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142) Has the preliminary concept created by the consultant been discussed with 
the supervisor and adapted if necessary? 

143) Were the challenges and conflicts within the team jointly defined and their 
causes analyzed? 

144) Have the team building phases been considered? (1. Forming: entry and 
discovery phase, 2. Storming: argument and dispute phase, 3. Norming: 
regulation and agreement phase, 4. Performing: work and performance 
phase, 5. Adjourning: dissolution phase) 

145) Have agile management methods such as Lean Management, Scrum, Kan- 
ban, or others already been used and how have they been implemented in 
practice? 

146) Was the desired target state for the future subsequently defined? 

147) Were subsequently goals for the future developed on this basis of challenges 
and conflicts? (for example, reorganization of cooperation structures) 

148) Was a final success control defined regarding these targets? 


Detailed questions regarding the personal and developmental skills of all 
individuals: 


149) Do all individuals, including the team members, enjoy their work? 

150) Is the individual person in the team appreciated and valued appropria- 
tely within his or her individuality (personal characteristics, attitudes, 
knowledge, and potential) and, above all, his or her value? 

151) Does the work develop both: the company and the individual? 

152) Beyond the appropriate knowledge and tools, do leadership and team 
members have sufficient human-centered skills? 

153) Are employees and managers mindful, flexible, react moderately and remain 
meaningfully persistent? (see Fig. A.19) 

154) Do sufficient competencies exist regarding self-organization or self- 
leadership of all individuals? 

155) Are stress management programs appropriate to train focused attention and 
stabilizing extended mindfulness? (e.g. MBSR Mindfulness-Based Stress 
Reduction) 


Ethics-related practical questions for all managers and employees 
156) Do you (the individual employee) act responsibly so that you don’t have 


regrets later? 
157) Do you consider the legitimate interests of others? 
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158) Are you focused on what is really important in your life? (health, family, 
friends, success, money, etc.) 

159) What values drive you? (Discipline, accuracy, excellence, honesty, faith, zest 
for life, transparency, clarity, presence, self-respect, justice, social respect, 
fairness, integrity, love) 

160) What needs do you have? (Basic needs: Food, water, sleep; Security needs: 
Material and occupational security; Social needs: Friendship, group mem- 
bership, love; Individual needs: Recognition, validity; Self-actualization) 

161) What should I (the employee) do? In other words: What is the most 
reasonable, the right, the good thing you should do? 

162) Does ethical, moral action really mean to renounce in the concrete case? 

163) Am I willing to forgo short-term gains that harm others? 

164) Do you currently invest in something sustainable even though it represents 
a kind of renunciation? (see Inner and Sustainable Development Goals) 

165) What prevents you from implementing sustainable structures in your 
daily or professional life? (e.g., respectful, friendly, productive, engaged, 
ecological, resource-conscious interaction, see Inner Development Goals) 

166) Is there a possibility to bring values and reality into discussion? (child labor, 
corruption, etc.) 


Questions regarding an ecologically economical, sustainable management 
approach (Corporate Social Responsibility - CSR) 


167) What principles, visions, goals, strategies and, above all, values does the 
company follow in its actions? (see also Sustainable Development Goals) 

168) How influential are the interest groups in the company’s activities, which 
ones are the most important, and how close is the business contact? 

169) Basically, what is the company’s core business and where do they plan to 
operate in the future? 

170) Where does the company see itself and where does its greatest potential 
currently lie? 

171) Can existing risks be identified where improvements and preventive measu- 
res can be taken? 

172) Which actions are already in practice and which additional activities would 
be useful? 

173) How is the company’s activity communicated? 

174) How are employees involved in the company’s activities? 

175) In which ways are social responsibility processes managed? 

176) How is knowledge stored, shared, and constantly improved? 
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Checklist for the selection of project managers: 


177) Does the person be considered to lead the project already have experience 
in leading projects? 

178) Is the person communicative and does he or she like to exchange ideas? 

179) Does his or her personality have the ability to connect and integrate? 

180) Does the respective person fit into the team in terms of his or her character 
or attributes? 

181) Is the person self-reflective and able to compromise? 

182) Does the targeted person have the required leadership skills? 

183) Can she or he handle uncertainty? 

184) Does the personality have experience in dealing with conflicts (see Fig. 
A.19)? 

185) Does the person move forward with clarity? 

186) Does she or he set priorities? 

187) Does she or he keep a clear head during crises (see Fig. A.19)? 

188) Does the person have a “Go-Ahead Gene”? 

189) Is she or he able to inspire as well as motivate other team members? 

190) Can she or he delegate within the team without being a “micromanager”? 

191) Do you have a good gut feeling or instinct about this person in a future role 
as a project manager? 

192) Does the person have extensive knowledge and experience of project mana- 
gement skills and methods (such as: work breakdown structure, network 
planning technique, milestone trend analysis, Kanban, stakeholder analysis, 
risk analysis, make-or-buy analysis, waterfall model, critical path method, 
Scrum, Lean, etc.)? 

193) Is the person skilled in facilitation and moderation techniques? 

194) Does the person in question know the scope of the project? 

195) Does the person know the project environment and bring expertise in the 
task area? 


In-depth questions regarding your self-reflection or each individual person 


196) What are (your) really significant things and people in the lives (your live) 
or workplaces of each leader and team member? 

197) Do all individuals (you) reflect on which they (you) can support people 
or colleagues they (you) feel connected to? (see also Inner Development 
Goals) 
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198) Do all individuals (you) ask themselves (yourself) in which way they (you) 
can best serve closely connected people? 

199) Which people, colleagues, superiors, or the complete organization each indi- 
vidual person (you) can support with the personal skills she or he has (you 
have) been given? 

200) To what extent is work seen by the individual (by you) as the most important 
purpose in life? 

201) Does an individual person (Do you) want to achieve more success in their 
(your) career than their (your) colleagues or even supervisors? 

202) Do individual persons (you) overwork themselves (yourself) beyond the 
general level when there is an increased workload? 

203) Does an individual person (Do you) want to do his or her (your) work 
perfectly and absolutely error-free all the time? 

204) Does most of the total energy given by the individual (you) predominate 
compared to the energy taken by the individual (you)? 

205) Where and how is (do you) lived energy held back and not expressed? 

206) Do individual persons (you) have difficulties switching off after work and 
relaxing in their (your) free time? 

207) Do people (Do you) tend to resign quickly when faced with unsuccessful 
work tasks or challenges? 

208) Can employees (Can you) remain relaxed in the face of increased tension 
and hectic activity in the workplace? 

209) Were employees (you) unsuccessful in their (your) previous work life, even 
though they want to be successful? 

210) Does the person (Do you) have little ability to perceive and feel their (your) 
emotions? 

211) Is there (Do you have) evidence of strong individual protective strategies 
(self-protection, striving for power, striving for perfection, obsession with 
beauty, addiction to recognition)? 

212) Do negative inner persuasions emerge with beliefs? (For example: I am not 
enough ..., I must ..., I must not ..., I cannot ..., I am not allowed to oppose 
=) 

213) Are there any indications of a burn-out risk? (Were questions 199 to 212 
confirmed partially or completely?) 

214) Are those persons affected (Are you) open to methods of mind training, 
attention training or Mindfulness-Based Stress Reduction)? 

215) Do individuals (you) reflect on where they (you) are in their lives (your life) 
right now? 

216) In which phase of life do the individuals (you) see themselves (yourself)? 
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217) What is (your history) the history behind each leader and team member? 

218) What lies ahead of (you) each leader or team member? 

219) Is an individual person (Are you) in transformational or change situation? 

220) What needs to be loosed or changed for new things to happen in (your life 
and workplace) the lives and workplaces of every leader and team member? 

221) Would like to be invited something new? 

222) Which phase is ending, what is beginning? 

223) What does each individual (do you) want to align with? 

224) What is (your) the person’s current primary concern? 

225) Who, other than (you) the individual person themselves, will benefit from 
the vision (you have created for yourself)? 

226) What specific things can (you) each individual do to move toward (your) 
their intended purpose so that the intention or vision does not remain just 
wishful thinking? 

227) Is it possible for (you) individuals to ask in-depth questions under the ass- 
umed premise that (you) they will only have a limited amount of time to 
live? 

228) What else (would you) does the individual like to complete for (yourself) 
themselves? 

229) What „loose ends“ still want to be joined together? 

230) Are there postponed things in (your work or life) the work or life of indivi- 
duals that (you need) he needs to finish so that (I) they can leave this world 
with a feeling that all is well? 

231) What do individuals (you) need to separate or distance from? 

232) How can (you) the individual person best practice a necessary separation or 
distancing in a concrete way? 

233) What concrete actions do (you) individuals need to implement? 

234) Are there deferred things in (your) the individual person’s life that needs to 
be finished? 

235) (Do you) Does the individual person still have old baggage to throw off? 
(work through possessions that are no longer needed, others write a will or 
make a living will for the first time in their lives) 

236) Should (you) the person, still talk with close people, colleagues, or 
superiors, or clear up interpersonal discrepancies? 

237) (Do you) Does the individual feel that the time has come to affırm an 
important transition, to bring an end to a personal crisis, or to underscore a 
new level of maturity? 

238) Do (you) individuals feel they want to step back from their previous 
actionism for a short time to reflect? 
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239) (Do you) Does the person often tend to have a particularly agitated state of 
mind (also called monkey mind) under stress or in a threatening situation? 

240) Can (you) the person never remain focused for more than a few seconds? 

241) (Do you) Does the person jump right back out of presence or conscious 
breathing on to, for example, any sounds, thoughts, memories, sensations, 
images? 

242) Is there a feeling of restlessness and disquiet due to constant movement? 

243) Will there be the ability to notice whenever we are distracted, letting our 
thoughts wander, to return to the breath, to the present moment? 

244) Will (you) people be able to perceive what is going on inside of them 
without judging it? 

245) Is there a possibility that the individual or you practice these methods 
conscientiously? 

246) Is the journey of the deepening stages of meditation about you or the 
individual person coming to stable attention? 

247) Can attention remain focused on the object of meditation, i.e. the breath, 
for minutes at a time? 

248) Does the mind drift for only a few seconds before returning? 

249) Is the mind predominantly wandering and lost in one thought or chain of 
thoughts? 

250) Is there the ability to return and refocus attention in a gentle but decisive 
way? 

251) What does it mean for (you) individuals to live at the level of heart? 

252) Which are the desires at (your heart) the heart of the individual? 

253) What would (your) an individual’s life look like if it were in harmony with 
the level of heart? 

254) Assuming that the external circumstances would remain as they are, but at 
the same time (you) the individual person would be in harmony with (your) 
his heart level, how would (you) they describe this state? 

255) Is the heart of the individual ready to let something in, to open up them- 
selves, to open up to people, to open up to life, to open up to love, to give 
something or to accept something? 

256) Is (your heart) the heart of the individual ready to let go of old heart-level 
hurts? 

257) Are individuals (Are you) willing to let his (your) heart take the lead as 
well? 

258) Is there an awareness that inner strength and heart energy together make a 
good interplay? 
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259) 


260) 


261) 


262) 
263) 


264) 


265) 
266) 


267) 


268) 


269) 


270) 


271) 
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Are there balanced relationships between dependence, autonomy, free 
development, and independence? 

Is there a sense of basic trust (a deep feeling of security regarding oneself 
and to the reliability of human relationships)? 

Which protective strategies are predominant in the individual (you)? (Rea- 
lity displacement, projection and victim thinking, striving for harmony and 
over-adaptation, helper syndrome, striving for perfection, addiction to reco- 
gnition, beauty mania, striving for power, striving for control, attack and 
assault, childlike behavior, escape, withdrawal, avoidance, fear, addiction, 
narcissism, camouflage, deception, dishonesty ...) 

Is the individual (Are you) entrenched in rational thinking? 

Do inner hurts and fears not want to be felt? (Sadness, pain, shame, anger, 
helplessness, despair) 

Is there a good balance of a motivational system about gaining pleasure 
(pleasure satisfaction, for example, through food, sports, movie ...) and 
feeling displeasure? (hunger, thirst, heat, cold, pain ...) 

Is there a strong dependence on external encouragement or mirroring? 

Do limiting or unrealistic inner beliefs determine the own identification 
with the perception of feeling, thinking, and acting? (deeply anchored inner 
beliefs, such as “I am not enough, I am at a disadvantage, I can’t do it... ”) 
Do instant inner hurts with anger, fear or envy arise through a chain of 
beliefs, interpretation of reality, feeling and behavior? 

Is there an openness to turn burdensome limiting core beliefs into their 
positive opposite? (I am valuable, I am allowed to make mistakes, I am 
allowed to feel, I can do it ...) 

Has the person (Have you) learned to ground themselves (yourself) in the 
body, to feel into the body, to expand or widen the space of the area of 
attention so that the space includes the whole body and, if necessary, takes 
all the senses into account? 

Are moments of wandering thoughts perceived that the person is (you are) 
no longer at what they (you) originally intended to do? 

Is the team or (you) an individual open to methods of a Mindfulness-Based 
Stress Reduction MBSR? (German: “Achtsamkeitsbasierte Stressreduktion” 
with, for example, mindful body awareness “Body-Scan”, mindful perfor- 
mance of a number of yoga exercises “Asana”, practicing “silent sitting”, the 
so-called sitting meditation “Zazen” or “Vipassana”, mindful performance 
of slow movements, e.g. in the form of a walking meditation “Kinhin” or 
mindful breathing exercises “Breathing-Space”) 
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272) 


273) 


274) 


275) 


276) 


277) 
278) 
279) 


280) 


281) 


282) 


283) 


284) 


285) 


Is the person (Are you) ready for a meditation practice despite difficulties 
such as drifting off, getting sleepy, drowsing away, impatience, inner voices 
such as comments by own ego attacks or self-doubt? 

Does the person (Do you) know what meditation is about, how to practice, 
what problems and obstacles arise, and how to deal with those obstacles? 
Are the four main obstacles known? (1. The feeling of not having enough 
time to meditate, 2. The implementation is postponed and delayed because 
of other urgent appointments 3. Resistance and unwillingness are genera- 
ted against doing the practice, 4. Doubting one’s own ability to meditate 
independently) 

Is there a willingness to make a meditation practice a priority, an important 
item on the agenda, to which other things are secondary? 

Do individuals (you) have the inner attitude and motivation to approach 
a meditation practice in a relaxed, non-judgmental, non-prejudiced way, 
without constraints and without unrealistic expectations? 

Is there the confidence to carry out this practice with joy, curiosity, and 
openness, without becoming hardened in the process? 

Is openness, self-confidence and conscientious persistence maintained that 
pleasant positive sensations, results and progress can occur with pleasure? 
Is the person (Are you) aware of why we (you) meditate? Is the person (Are 
you) inspired and reminded of what the benefits of meditation are? 

Can the person (you) trust that the development of stable mindfulness 
and stable attention at different levels will increase through a meditation 
practice? 

Do the person (you) rely on that instead of various degrees of unconscious- 
ness and dullness (also called autopilot) gradually increasing sensitivity and 
interaction of focus and peripheral attention will occur through meditation? 
Can the person (you) look forward to the ability to concentrate on things, 
to focus through meditation increases and at the same time to notice what 
else is going on in the wider environment? 

Does the person (you) have confidence that a meditation practice will make 
more sensitive to how objects relate to each other and the context in which 
they take place? 

Through meditation practice, does the person (do you) look forward to pro- 
cessing information more thoroughly in the future by being able to better 
select the objects to which they (you) want to direct attention? 

Focuses the person (you) on this through meditation in the future to focus 
attention more on important objects rather than circling around? 
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286) Do meditators trust that peripheral awareness can be maintained more stron- 
gly while they are focused on something and less likely to get caught up in 
projections and subjectivity? 

287) Do meditators look forward to the fact that this makes it increasingly 
possible to perceive things as they are? 

288) Are individuals (you) able to recognize that a restless mind without perspec- 
tive is more likely to remain confusedly trapped in projections and worries, 
can meditation calmly look into the underlying depths? 

289) Can the person (you) look at the following metaphor: The restless mind is 
like a lake with water that has been churned up by the wind. There is no 
clear reflection to recognize. One cannot see the bottom of the lake. How- 
ever, when through a meditation practice the dirt that was so agitated (which 
in this analogy has clouded our mind) settles, then the water becomes clear 
in which the sky and clouds are reflected, and the bottom of the lake is 
visible. 

290) Does the person recognize that the practice is not about reaching a calm 
lake as quickly as possible, and can the person consciously walk the path 
to get there? 

291) Can the person (you) learn about the nature of the water (the current situa- 
tion), how a troubled water transitions to a calm pure state, from turbid to 
crystal clear? 

292) Is it realized that mindfulness is like the sunlight that shines on this lake 
and allows us to also look into the depths down to the bottom? 

293) Is there an open-minded mindset that meditation consists of a series of 
simple tasks that are easy to perform and repeat until they bear fruit? 

294) Is the person (Are you) able to approach a meditation method in a clear 
consistent way? 

295) Is there a desire to establish a meditation practice and to set up, implement 
and work out a systematic schedule with regular appointments for it? 

296) Can a suitable, quiet place be created for meditation practice? 

297) Does the person (Do you) want to receive focused attention while still being 
aware of what is going on around them in peripheral awareness? 

298) Is the person (Are you) aware that the place to which attention is directed 
is always consciously chosen? 

299) If the current attention has moved away, is the person (are you) aware that 
it can be brought back into the presence in a gentle but conscious way? 

300) Instead of castigating and judging, is it possible to especially appreciate and 
acknowledge these moments? 

301) Is the mind open to being playfully and actively interested in the breath? 
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302) Are the principles of any practice for stable conscious awareness conside- 
red? (1. resonate with the present - what is here now, 2. focus on body 
sensations from the present, 3. further specify body sensations. 4. arrive at 
the breath). Can these moments be perceived as those where the person is 
(you are) fully present and aware? 

303) Are these moments of presence perceived as times of joy and appreciation 
when the spirit awakens and realigns? 


Regarding Corporate Social Responsibility and Sustainability, the author refers 
to the United Nations Sustainable Development Goals (SDG) at www.un.org. The 
United Nations defined 17 goals as a call to act for sustainable development 
worldwide. These 17 topics were accepted by all UN member states in 2015 
as being part of the 2030 Agenda for Sustainable Development: 


No poverty, 
Zero hunger, 
Health and well-beeing, 
Quality education, 
Gender equality, 
Clean water and sanitation, 
Affordable and clean energie, 
Decent work and economic groth, 
9. Industry, innovation and infrastructure, 
10. Reduced inequalities, 
11. Sustainable cities, 
12. Responsible consumption and production, 
13. Climate action, 
14. Life below the water, 
15. Life on land, 
16. Peace, justice and strong institutions, as well as 
17. Partnerships for the goals. 


Bean O Ar Gon O 


A nonprofit initiative added the Inner Development Goals (IDG) to accelerate 
the realization of these UN Goals (www.innerdevelopmentgoals.org): 


1. Being (relationship with self): Cultivating our inner life, our development 
and relationship to our thoughts, our feelings to be present, acting with 
intention and non-reactive when confronted with complexity. 
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Thinking (cognitive skills):Developing our cognitive skills for different per- 
spectives, evaluating information,understanding the world as a connected 
whole for wise decision making. 

Relating (caring for others and the world): Appreciating, caring, feeling 
connected to others (neighbors, future generations, biosphere for more 
equitable sustainable systems, societies for all). 

Collaborating (social skills): Develop abilities to implement common con- 
cerns with actors of different values, skills, competencies for sufficient space 
to communicate. 

Acting (driving change): Courage and optimism for aquiring true agency, 
breaking old patterns, developing original ideas to act with persistance in 
uncertain times. 


Annex C: Questionnaire for Qualitative 
Interviews with Developers 


For qualitative interviews in the development departments, an interview guide for 
general orientation was prepared. 


1. Preparation for conducting interviews 
These interviews were conducted in the development departments of two South 
German automotive manufacturers. 

The following was introduced in advance: 


a) Declaration of consent by the developers for a survey 

b) Agreements of the developers to an audio recording of the survey and the 
following evaluation 

c) Creation of a schedule 

d) Planning of useful locations for the survey 


2. Implementation of the questions and welcome 
2.1 Procedure 


a) Receipt of the person 

b) Justification for the selection of that person 

c) Obtain signature for consent to audio recording 

d) Communication and assurance of anonymity 

e) Promise to delete the audio recordings in the follow-up 

f) Corresponding note on the planned scientific use of the responses 
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g) Start of first questions: 
— Which function do you develop? 
— What are your responsibilities? 


2.2 Framework Conditions 


a) The surveys should be flexibly adapted to the process 

b) Statements on the scientific background 

c) Description of the own background of professional experience 

d) Encouragement for the free expression of good — as well as bad — with own 
ideas and desires 


3. Special questions for experienced executives and leaders 

(Excludes questions from point 4!) 

Assuming that experienced executives and leaders have no experience with struc- 
tured development processes having regard using specific standards or guidelines 
the survey initially differs somewhat. 

3.1 Questions Regarding Knowledge and Experience of Structured and Guided 
Development 

3.1.1 Awareness of guidelines, such as a code of practice 


a) Do you know development guidelines? 


If there is no previous knowledge: 
Ifno examples are mentioned at this point, a brief explanation is given about the 
possibilities of a guideline and checklist supported development process 


b) How do you rate the possibility of an application in your development 
sector? 


If there are already experiences: 


c) When and in what context were you confronted with guides in the course 
of development for the first time? 
(In the company, outside the company, in presentations, in literature, on the 
Internet, ...) 

d) How do you see the value of such a structured guideline-based development 
work, such as a Code of Practice? 
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e) How do you generally see the development of new systems based on a guide 
or checklist? 


3.1.2 Experiences with development guides 
At which points in the development process do you consider a development 
guide particularly useful or worthwhile? 


4. Survey of developers (Excludes questions from point 3!) 

4.1 Questions on the experiences of the development process supported by 
4.1.1 Knowledge of guidelines 

How is your basic opinion about developing assistance systems with guide or 
checklist support? 

4.1.2 Experience with checklists and guidelines 


a) Have you already used checklists and guides like the Code of Practice? 

b) If so, for what reason? 

c) What basic knowledge has the application brought with it? 

d) In which phase of the development process do you use guides or checklists? 
e) On which occasions do you get in touch with this? 

f) How do you rate application possibilities of guides? 

g) In which stages of development do you think a checklist or a guide is useful? 


4.2 Questions about findings from work with guidelines 


a) How do you assess the benefits of checklists and guidelines in the 
development of driver assistance systems? 

b) Could you benefit from the usage? 

c) What is your view of the ratio of effort to benefit through the use? 

d) Could other specialist departments or business units benefit from guidance 
such as the Code of Practice? 


With regard to the development of driver assistance systems, I would have further 
questions: 


e) In your opinion, what is the consequence if a liability case occurs in one of 
your developed and / or released systems? 
f) In your opinion, who is legally responsible for this? 
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4.3 Questions about advantages and disadvantages of guidelines 
4.3.1 Advantages 


a) What strengths do you see in a structured guideline-based development? 
If strengths are mentioned: 

b) Where could you see strengths in the application? 
4.3.2 Perceived general weaknesses 


a) What is bad about guidelines from your point of view? Do you see 
weaknesses? 


If weaknesses are mentioned: 
b) How was your experience with the weaknesses? 
If no weaknesses were identified: 
c) Where do you see potential for improvement? 
4.3.3 Perceived special challenges 
a) How can a guide such as the Code of Practice be integrated into the 
daily work? Do you already use a kind of a guideline or checklist in the 
development process? 
b) Do you see further difficulties with the usage? 
c) Have you experienced difficulties yourself so far? 


d) Do you have any ideas for removing obstacles? Can you suggest improve- 
ments? 
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4.4 Questions about using a guideline e. g. Code of Practice 
Note: The following questions will only be asked if a guideline has been applied! 
4.4.1 Opinion on actual application 


a) What importance of using a guideline or editing checklists do you see based 
on your work? 
b) What is the opinion of your colleagues? 


If the importance / usage is low: 


c) What do you consider being the main reason for the restrained application? 
d) What measures would you require for an extensive wide-ranging and 
successful application? 


4.4.2 Comprehensibility of checklists 
(Example: Code of Practice for Advanced Driver Assistance Systems) 


a) Have you started the processing of checklists yourself without assistance? 
What did the support look like? (If advise was given in advance) 


Moderation: If no advice was given: 


b) Would you have wanted an advisory support? 

c) Did you understand the contents of the various checklists? How elabo- 
rate was the induction training to be able to conscientiously complete the 
checklists? 

d) How can errors be avoided by support? 


4.4.3 Questions for missing or dispensable content 
(Example: Code of Practice for Advanced Driver Assistance Systems) 


a) Does the ADAS Code of Practice for you appear to be complete? 

b) What points are missing in your opinion? 

c) Which points are treated too detailed? 

d) Would you have a suggestion for a different, possibly better form of this 
development guide? 
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4.5 Questions about the future of structured and guided development 


a) How could acceptance of a structured and guided development process 
develop in your opinion? 

b) In your opinion, how can a stronger reference be implemented to the need 
for a structured and guided development process? 

c) From your point of view, where should a consultative support for an 
increased use of a structured and guided development come? 


Moderation: Finally, general questions about your daily work routine: 


4.6 Questions about work motivation 


a) What particularly do you like about your work? What is important to you? 

b) What matters mainly in your area of responsibility? What skills are 
important for your work? 

c) What particularly appeals to your work? What is personally interesting for 
you? 

d) Are there any tasks that are fun to you, and what is it exactly that is fun? 

e) What is the proportion of creative or administrative development work 
according to your own assessment? 

f) Are you satisfied with this? 


If not: 


g) What proportions would you like to emphasize more? 
h) Do you have something else that you want to supplement? 


Moderation: Thank you very much for your acceptance and readiness to provide 
information! 


Annex C: Questionnaire for Qualitative Interviews with Developers 185 


Suggested online questionnaire on guided development 


Suggestion for a quantitative online survey about the potentials and hindrances 
of a guided development process 


Dear participant, 


First of all, I would like to thank you very much for your participation in 
this study. The survey will take between 10 and 15 minutes. A specially selected 
group of people is asked, whereby their opinions are considered for the response 
of many. 

Of course, your information will be treated confidentially and evaluated anony- 
mously. Thus, it is impossible to draw conclusions about your person afterwards. 
The strict scientific principles of market and social research are applied. I gua- 
rantee the security of your data and thus the compliance with data protection 
law. 

In the following survey you will find some questions about guidance-based 
development. This concerns only your personal opinion; there is no “right” or 
“wrong”. Please click on the appropriate box or write your answer in the field 
provided. 


Thank you very much! 
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Contents of the Online Survey 
A. Knowledge and personal use of guided development 
B. Attitude to and evaluation of guided development 


C. Demography 


A. Knowledge and personal use of guided development 


Have you personally heard about development guidelines? 


O yes, and namely: ...............- 


Were you personally involved in the development of new vehicle functions? 


O yes, indeed in the area of: .... 


O no 


How often have you personally used structured guidelines? 


O very often 
3. O frequently 
O occasionally 
O rarely 

O never 


In which development phases have you personally used guidelines? 


O Definition phase 

O Concept phase 

O Concept confirmation 

O Construction 

4. O Test phase 

O Validation and sign-off 

O in another phase, namely: ........u. 2 enssennmn 


O in none of the mentioned phases 
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B. Attitude to and evaluation of guided development 


5 In the following, | would like to ask you to evaluate a structured guideline- 
5 based development with regard to different characteristics. 


You will find opposing property pairs with regard to which a structured 
guideline-based development should be evaluated. 


The respective properties represent the extremes; with the values in 
between you can gradate your estimation. 


Structured guideline-based development ... 


... İS superfluous Oo O (@} ie) O ... İS necessary 
... Is confusing oO (O oO O O ... IS confusing 
... Is difficult to ... Is easy to 
understand 9 O Q 9 Q understand 
en needs a lot of o o o o o ... needs little 
training time training period 
... Is very difficult to ... Is very easy to 
integrate into everyday | O Oo e) O O | integrate into everyday 
working life working life 
... is not anchored in o o o o o si strongly anchored 
the work process in the work process 
... Should be published o o o o ol should remain a self- 
as a standard obligation 
ols absolutely o o o o o is extremely relevant 
irrelevant for my work for my work 
XXX O O O O O 
XXX O O O O © 
XXX O O O O O 
XXX O O O O (©) 
6. How would you probably apply the Code of Practice in the next development 


for automated vehicles? 


O from the start of development 

O in relevant phases of development 

O from time to time when brought to my attention 
O at the end of the development 

O not at all 

O I don't know 
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C. Attitude to the own work 


7 In the following | am interested in your personal attitude towards your daily 
i work life. 

Please use the scale from 1 to 10, whereby 

++ = “Il agree completely” and -- = “I disagree at all” stands for. 

With the values in between, you can scale your assessment. 


++ + +/- = = 


I like to work according to given 
patterns and standards. 
I am also interested in 
the work contents from O O O © O 
other departments. 
In my work it is not 
possible to plan one [0] O O O O 
week in advance. 


O O O O ° 


I like working in a team. 


I enjoy my 
current work. 
I'm bored with always the same 
day-to-day work. 
| like to work creatively 
and innovatively. 
| can work more effectively 
on my own. 
| keep a close watch on 
all regulations that 
affect my work. 


On o On O Fe 
‘On o S o Re 
On PES O Fe 
On o SS O 9 
On O © O Re 


O 
O 
O 
O 
° 


XXX 


XXX 


XXX 


o fen o Fo 
o 5 o Fe 
o ©) o © 
o fon o Fe 
o fen o Fe 


XXX 


8. XXX? 


O Xxx 
O Xxx 
O Xxx 
O Xxx 
O xxx 
O I don't know 


Annex C: Questionnaire for Qualitative Interviews with Developers 


D. Demography 
Finally, a few questions about yourself: 
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Gender: O male O female 


10. 


Your age? 


11. 


How many people work together in your current team? 


Senannannunsnununausannunnunnannnanannnaunnannnnanannane persons 


12. 


Your position in the company? 
O Executive board 

O Executive / manager 

O Executive employee 

O Employee 

O Specialist worker 

O Worker 

O Xxx 


13. 


Current area in which you are currently working? 


14. 


15. 


xxx? 


O xxx 
O xxx 
O xxx 
O I don't know 


Thank you for your time and feedback!! 
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See page 180 to 182: 

— Unfallart (type of accident) 

— Charakteristik Unfallstelle (characteristics of the accident scene) 
— Besonderheiten Unfallstelle (particularities of the accident scene) 
— Lichtzeichenanlage (traffic lights) 

— Geschwindigkeitsbegrenzung (speed limit) 

— Lichtverhältnisse (light conditions) 

— StraBenzustand (road condition) 

— Aufprall auf Hindernis (collision with obstacle) 

— Besonderheiten (particularities) 

— Verkehrstiichtigkeit (roadworthiness) 

— Spuren / Technische Mängel (markers / technical failures) 

— Maßnahmen (measures) 

— Beteiligte (participants) 

— Fahrerlaubnis (driving license) 

— Fahrzeug (vehicle) 

— Unfallfolgen (accident consequences) 

— Straftaten / Ordnungswidrigkeiten (crimes / administrative offences) 
— Sondererhebungen (special surveys) 

— Sonstige Geschädigte (other victims) 

— Zeugen (witnesses) 

— Sachverhalt (facts of the case) 
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IBP 043a (2003-05-22) 


Aktenzeichen 
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azan Beetge erstere erwonverletzte erchtverletzte esame chaden EUR 
en BEE) EN) ace 
B Terzeftunfe BRETT Wogan 
m Prenton 
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Katalogwerte 
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Besonderheiten (zur Verkehrslage, zum Unfallort, zur Verkehrsregelung usw. 


Verkehrstüchtigkeit (derdes Unfalibeteiligten unter Angabe der Ordnungsnummer; bei Alkohol-/Drogeneinfluss stets Angabe der Ausfallerscheinungen) 


Spuren/Technische Mängel (die auf den Unfallhergang schließen lassen; unter Angabe der Ordnungsnummer) 


Maßnahmen (insbesondere strafprozessuale; unter Angabe der Ordnungsnummer) 


Ausfertigung für 
Staatsanwaltschaft Unfalluntersuchung Aufnehmende Polizeidienststelle 


O Bußgeldstelle DO Straßenbaulastträger DO örtlich zuständige PI 


Fig. A.1 German Traffic Accident Report “Verkehrsunfallanzeige Personen-, Sachschaden“. 
(Source: The Bavarian Ministry of the Interior and Integration) 
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IBP 043b (2003-05-22) 
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Fig. A.1 (continued) 
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Verkehrsunfall vom š Uhr 
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Verletzungsgrad 
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Sachverhalt 


Ort, 


Name, Amtsbezeichnung, Unterschrift 


IBP 043c (2003-05-22) 


Fig. A.1 (continued) 
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User Expectations 


Level of Automation 


Fig. A.2 User expectations and level of automation. (Source: ADAS Code of Practice) 
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Documentation Sheet 


Code of Practice for ADAS: 


This ADAS has been developed in compliance with the CoP and is recommended for sign off. 


Fig. A.3 Example Documentation Sheet. (Source: Knapp A, Neumann M, Brockmann M, 
Walz R, Winkle T (2009) ADAS Code of Practice) 
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How do you think road safety will change as a result of the following levels 
of automation? 


0344883338583 


Fig. A.4 User safety expectations with increasing level of automation. (Source: Schierge 
Frank (2017) Sicherheit autonomer Fahrzeuge, Ergebnisse der Verbraucherbefragung in 
Deutschland, USA und China, TÜV Rheinland Kraftfahrt GmbH, Innovations- und Markt- 
forschung, Köln) 


198 Additional Figures 


Question: To what extent do you agree with the following statements on the 
safety of autonomous vehicles on the road? “In an autonomous vehicle, humans 
should always have the opportunity to intervene in an emergency.” 


Partially Highly Fully No 
automated automated automated driver 
5 
4 
Improves 3 
safety 2 N 
' En 
= E m 
2 
Degrades 5 
safety F 
5 


m Germany =m USA ® China 


Fig. A.5 Rating of safety in relation to the automation level. (Source: Schierge Frank (2017) 
Sicherheit autonomer Fahrzeuge, Ergebnisse der Verbraucherbefragung in Deutschland, USA 
und China, TÜV Rheinland Kraftfahrt GmbH, Innovations- und Marktforschung, Köln) 
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Question: To what extent do you agree with the following statements on the 
safety of autonomous vehicles on the road? “In an autonomous vehicle, you 
should always have the opportunity to intervene in an emergency.” 


average 
value 
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en 24 


@ ih} ® 


2.7 


= 1-I totally agree = 2 =3 = 4 “5 6 7 - | totally disagree 


Fig. A.6 Agreement of opportunity to intervene in an emergency. (Source: Schierge Frank 
(2017) Sicherheit autonomer Fahrzeuge, Ergebnisse der Verbraucherbefragung in Deutsch- 
land, USA und China, TUV Rheinland Kraftfahrt GmbH, Innovations- und Marktforschung, 
Köln) 
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Interventions required per 1000 miles 
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Fig. A.7 Interventions required per 1000 miles from test-drives for the period from Decem- 
ber 2017 to November 2018 (all organizations in California that had a license to operate 
autonomous vehicles). (Source: Department of Motor Vehicles (DMV), Autonomous Vehicle 
Disengagement Reports 2018) 


Code of Practice Practice AD 


Fig. A.8 Levels of Automation with Scope ADAS and AD Code of Practice. (Source: Winkle 
T., Bengler K. (2020), Level 3 pilot EU Project, ADAS Code of Practice, https://www.ace 
a.be) 
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Fig. A.9 Aschaffenburg/Alzenau traffic accident site: accident possibly caused by active 
steering assist? (Source: Police Headquaters Unterfranken Wiirzburg) 


202 Additional Figures 


Fig. A.10 Aschaffenburg/Alzenau traffic accident site overview. (Source: Bayernviewer, 
BayernAtlas and GeodatenOnline, Bayerische Vermessungsverwaltung, Bavarian Agency for 
Digitization, High-Speed Internet and Surveying, https://www.geodaten.bayern.de) 
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Distance / Time I Speed 
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Fig. A.11 Uber test vehicle: Relationships between distance/time/speed from accident simu- 
lation. (Source: Winkle T, Data: National Transportation Safety Board. Vehicle Automation 
Report (2019)) 
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[s] pve stat Sensor classification and path Further incidents and more 
before prediction details 
impact [mph] | [km/h] 
Classification: Vehicle - by Radar recognizes first detection 
-5.6 44 70.8 Path prediction: None - not on the path emas e naed 
of the Volvo aa 
Classification: Unknown Object - Lidar recognizes first detection of 
-5.2 45 72.4 by Lidar an unknown object, no speed 
Path prediction: Static, not on path determined 
-42 45 72.4 Classification: Vehicle - by Lidar No tracking history, vehicle 
Path prediction: In left lane predicted as traveling in left lane 
-39 45 24 Classification: Vehicle - by Lidar Tracking history, vehicle 
à ö Path prediction: In left lane predicted as traveling in left lane 
Classification: alternated several times At each change objects tracking 
-3.8 between vehicle and unknown - by history is unavailable 
until 45 724 lidar and object's path predicted as 
-2.7 Path prediction: alternated between static. When classification 
j static and left lane, not considered on remains same, ADS predicts path 
path of the Volvo traveling in left lane 
-26 45 RA Classification: Bicycle - by Lidar Changed classification of object, 
3 = Path prediction: Static, not on path no tracking history 
-2.5 4s 2A Classification: Bicycle - by Lidar ADS predicts the bicycle path as 
i Path prediction: Not on the path traveling in the left lane 
Classification: Unknown - by Lidar Changed classification, ADS 
-15 44 70.8 Path prediction: Static, partially on the generates a motion plan around 
path of the Volvo object, maneuver to the right 
s e Again changed classification, no 
Classification: Bicycle - by Lidar re i 
-1.2 43 69.2 Path prediction: Vol fs tracking history, hazard situation, 
ee action suppression begins 
. ES An acoustic warning has been 
-0.2 40 64.4 Classification: Bicyde -by Udar generated to indicate controlled 
Path prediction: Volvo travel lane 2 
deceleration has been initiated. 
Vehicle operator takes control of 
-0.02 39 62.8 2 the steering wheel 
-> deactivating ADS 
Impact 
1.8 37 59.5 - Safety driver brakes 
3,1 0 0 Final Position 


Fig. A.12 Uber data recorder: time, speed, Artificial Intelligence sensor classification, tra- 
jectory prediction. (Source: Winkle T, Data: National Transportation Safety Board. Vehicle 
Automation Report 2019) 
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Total annual mileage in Germany and fatalities 
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Fig. A.13 Total annual mileage in Germany. (Source: Statistisches Bundesamt (2021), * Until 
1990 former federal state of Germany, until 1952 without Saarland, until 1952 fatalities on 
the day of the accident, from 1953 fatalities within 30 days after the accident) 


Kilometers driven in Germany without fatalities 


traffic fatalities* kilometers 
in 1.000 


20,000 19,193 280,000,000 
260,000,000 
240,000,000 


16,000 220,000,000 


200,000,000 
= Kilometers driven in Germany 


= = 180,000,000 
without fatalities 


12,000 
160,000,000 


140,000,000 
=m Annual road accident fatality 


. 120,000,000 
numbers in Germany 


8,000 
100,000,000 


5,361 80,000,000 


| 3,648 3,600 3,339 3,377 3,459 3,206 3,180 3,275 3,059 60,000,000 


2,719 
40,000,000 
| | 20,000,000 

0 


1970 1980 1990 2000 2005 2010 2012 2013 2014 2015 2016 2017 2018 2019 2020 


4,000 


Fig. A.13 (continued) Kilometers driven in Germany without fatalities. (Source: Statisti- 
sches Bundesamt 2020), * Until 1990 former federal state of Germany, until 1952 without 
Saarland, until 1952 fatalities on the day of the accident, from 1953 fatalities within 30 days 
after the accident) 
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Kilometers driven in Germany without injury 
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Fig. A.14 Kilometers driven in Germany without injuries. (Source: Statistisches Bundesamt 
(2020), * Until 1990 former federal state of Germany, until 1952 no Saarland) 
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Kilometers driven in Germany without property damage Kilometers 
. a . in 1.000 
—— Kilometers driven in Germany without property damage Aonden 
. =m Annual road accident property 
traffic property = 
damage numbers in Germany 350,000 
damage* 

300,000 

2,500,000 2,104,250 were 


2,102,206 2,211,172 
1,967,278 


2,122,974 2,122,906 Eis 250,000 
2,000,000 1,917,373 ‚980, 
1,670,532 
1,500,000 1,305,369 
1,014,397 
1,000,000 | 
e 0 


1970 1980 1990 2000 2005 2010 2012 2013 2014 2015 2016 2017 2018 2019 2020 


Fig. A.15 Kilometers driven in Germany without property damage. (Source: Statistisches 
Bundesamt (2021), * Until 1990 former federal state of Germany, until 1952 without Saarland, 
until 1952 fatalities on the day of the accident, from 1953 fatalities within 30 days after the 


accident) 
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Fig. A.16 Social and legal judgement: Human perception versus Artificial Intelligence 
machine perception 
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Fig. A.17 Image classification error rates: Artificial Intelligence models versus human error 
rates. (Data Source: ImageNet ILSVRC Top-5 (2020), Statista 2020, He K et. al. (2015) 
Surpassing Human-Level Performance on ImageNet Classification (2015), Russakovsky O 
et. al. (2015) ImageNet Large Scale Visual Recognition Challenge, Dodge S, Karam L (2017)) 
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Maximum total area of action (car to x communication) 
(Use cases with direct safety impact) — 1) GIDAS? 
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Fig. A.18 Maximum total area of action (car to x communication). Data Source: Winkle T, 
et. al. (2009) Accident data analysis - GIDAS area of action analysis: simTD use cases 
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Fig. A.19 Aspects of inner balance in interdisciplinary teams. Data Source: Winkle T (2021), 
Snarch D (2018). (Source: Elnur/Shutterstock) 
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Fig. A.20 Implications of Deep Neural Network Image Recognition on ethics and law in 
product development 
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5G Communication Fifth Generation: Fifth generation of the mobile commu- 
nications standard, builds on the existing “Long Term Evolution” (LTE) stan- 
dard for three different applications: Enhanced Mobile Broadband (eMBB), 
Massive Machine Type Communication (mMTC) mainly for the “Internet of 
Things” (IoT) and Ultra-reliable and Low Latency (uRLLC) for example for 
autonomous driving technology or industrial automation (Andrews J G et al., 
2014) 

Abbreviated Injury Scale (AIS): Anatomical scoring system to rank the severity 
of injury (Association for the Advancement of Automotive Medicine). 

Accident type (UTYP): The UTYP (German: Unfalltyp) categorizes the conflict 
situation, which is the traffic scenario in the pre-phase that resulted in the 
conflict, into seven main types. These are divided into two further levels (see 
Sect. 3.3.2.3). The type of impact is not important. 

AcciMap: An approach by Jens Rasmussen which was designed to analyze the 
socio-technical background of accidents from different areas by identifying 
the combination of causal events. It graphically reflects the various factors 
contributing to an accident and their interrelationships in the following six 
areas: government policing and budgets, regulatory agencies and organizati- 
ons, local healthcare economics planning and budgeting (including hospital 
governance), technical and operational processes, incidents, processes with 
associated conditions and final outcomes (Rasmussen J, 1997). 

Action: An event that was initiated by the driver or the automated driving system. 

Action slip: A human action that differs from the desired intention. For exam- 
ple, the driver wants to brake (decelerate) but unintentionally presses the 
accelerator pedal. 
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Adaptive Cruise Control (ACC): Advancement of conventional cruise control. 
It allows the subject vehicle to follow a forward vehicle in a range of a selec- 
ted distance by controlling the engine, power train, and the brake within the 
technical limits. 

ADAS Code of Practice: A guideline with procedures and processes that may 
be used during specification and realization of advanced driver assistant sys- 
tems (ADAS). It supports from the first idea of an ADAS or other automated 
systems (e.g. Heading Control, autonomous emergency brake) until marketing 
to declare reasonable safety and duty of care. ISO 26262:2018 refers in part 
3 table B.6 to the ADAS Code of Practice definition prepared in Response 3 
regarding: CO: Controllable in general, C1: Simply controllable, C2: Normally 
controllable, C3: Difficult to control or uncontrollable. Published at: www.ace 
a.be 

AlexNet: Convolutionary neural network (CNN), designed by Alex Krizhevsky. 
AlexNet won the LSVRC-2012 image recognition classification contest. 

Architecture: The elementary organization (hardware and software) of a sys- 
tem embodied in its components (interaction between components or the 
environment) and the rules guiding its design and advancement. 

Area of action: An area of action comprises the accidents on which a system can 
have an influence. The effective field varies depending on the specification of a 
system. As a result, it represents an initial estimate of the maximum achievable 
potential within the automation level under consideration. 

Area of efficiency: Compared to an area of action, the actual efficiency of a 
function is usually significantly lower. Efficiency is the effect that a speci- 
fied system actually has. It is either proven by accident events (a posteriori) 
or predicted by simulation (a priori). The determination of an area of effi- 
ciency, therefore, requires precise knowledge of the system specification with 
corresponding functional limits and the driver’s behavior. 

Artificial intelligence (AI): An area of computer science that deals with the 
automation of intelligent behavior. In 1956 John McCarthy coined a defini- 
tion of Artificial Intelligence (AI) systems as the “science and engineering of 
making intelligent machines”. AI systems give a digital computer or computer- 
controlled robot vehicle the ability to perform tasks commonly associated with 
intelligent beings. Research in the field of Artificial Intelligence systems with 
deep neural network learning for object detection and image recognition is 
crucial for self-driving technologies and dominates the ranking of most highly 
cited publications worldwide (see He K et al. 2016; Krizhevsky A et al., 2017). 
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ASIL decomposition: The redundant distribution of safety requirements to suffi- 
ciently independent elements with the aim of lowering the ASIL of redundant 
safety requirements assigned to the corresponding elements 

As Low As Reasonably Practicable (ALARP): States that risks should be redu- 
ced to a level that guarantees the highest degree of safety that is reasonably 
practicable (limitation of maximum expected damage). 

Augmented Analytics: A concept to data analysis using machine learning and 
natural language processes to automate analytic processes usually performed 
by a specialist or data scientist (Prat N, 2019). 

Automated Driving: The classification and definition for road vehicles with 
automated driving systems has been described in the generally accepted SAE 
J3016 standard from SAE International since January 2014. The classification 
divides into six levels with the definition of their minimum requirements (Level 
0 = No Automation: Features are limited to warnings and short-term interven- 
tions (e.g. ABS or ESP); Level 1 = Driver Assistance: Support for longitudinal 
or lateral guidance; Level 2 = Partial Automation: Support for longitudinal and 
simultaneous lateral guidance; Level 3 = Conditional Automation: Automated 
driving where the driver must respond to a request for intervention; Level 4 
= High Automation: Automated vehicle guidance without the driver having to 
intervene on a take-over request; Level 5 = Full Automation: Fully automated 
driving under all road and environmental conditions). 

Automotive Safety Integrity Level (ASIL): Four levels to determine the risk 
and the requirements for risk reduction. ASIL A describes the lowest and ASIL 
D the highest risk reduction class (see ISO 26262, ADAS Code of Practice, 
Code of Practice for Automated Driving, Safety of the intended functionality). 

Autonomous driving: Autonomous driving technology can be defined as mobi- 
lity by means of a road vehicle that is not bound to a limited infrastructure 
(e.g. rails, power supply lines) and that is operated exclusively by entering 
or adapting a mission by humans or even assigns itself a mission indepen- 
dently (e.g. driving to a charging station after a successful transport mission). 
The mission always consists of a transport task from A to B with transport of 
goods, persons or only the vehicle itself (see Wachenfeld et al., 2016; Matthaei 
et al., 2016) 

Autopilot: A definition of the term autopilot is an automated, typically pro- 
grammable, control system that automatically guides means of transportation 
on demand without human interaction while the autopilot is active. Usually 
referred to a computer that processes environmental information from the 
instruments to determine how the mobility system should be guided. Adverti- 
sing statements of the car manufacturer Tesla for an automated level 2 system, 
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such as “full potential for autonomous driving”, “Autopilot: included” and 
“By the end of the year: autonomous driving in urban areas” were considered 
misleading for consumers by the Landgericht Miinchen I. 

(see decision of 14.07.2020, Reference number 33 O 14041/19) 

Avoidability: (Vermeidbarkeit) The avoidability of an accident is given to a per- 
son involved in an accident if they could have prevented the collision by 
observing the maximum permissible speed or the locally appropriate speed 
or if he could have reasonably been expected to react. A distinction is made 
between geographical and time-related avoidability. 

- In geographical terms, an accident can be avoided if the person involved 
would not have reached the point of collision in compliance with the requi- 
rements mentioned above since he would have stopped before the point of 
collision. 

- In terms of time, an accident can be avoided if the person involved had rea- 
ched the collision site late in compliance with the requirements as mentioned 
earlier so that the other party had the opportunity to leave the hazardous area 
in sufficient time. 

Behavioral Changes (Adaptation): Changes in driver behavior that may occur 
as a result of changes to the road-vehicle-driver system. 

Best practice: A specific procedure that is generally recognized as the most 
reasonable approach: it could also be regarded as a “de facto” standard. 

Blockchain: A steadily expandable list of records, called “blocks”, which are 
chained to each other by means of a cryptographically secure hash (variance 
coefficient) of the previous block, a timestamp and transaction data. Later tran- 
sactions build on earlier ones and confirm them by proving knowledge of the 
earlier transactions. (Swan M, 2015; Zheng Z et al. 2017). 

Burden of proof: (Beweislast) Regulation of the question concerning which 
party, in order to win, must provide evidence of facts disputed by the other 
party that are relevant to the decision. 

Business Intelligence: Procedures and processes of business informatics for the 
systematic analysis of the own company. This includes the collection, evalua- 
tion and presentation of data in electronic form to gain insights from company 
data to support management decisions such as cost reduction, risk reduction 
and value creation (Chen H, 2012). 

Calibration data: Data used in the development process after the software has 
been created, such as vehicle-specific parameters (adaptation values). 

Car Clinics: The specific term “clinics” is based on the fact that test persons are 
invited for a test: either static (without driving) or dynamic where the vehicle 
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can drive in a true-to-life scene with automated components. They can be 
conducted on a public road or a test track. 

Car Sharing: Car sharing means the organized joint use of one or more cars on 
the basis of a framework agreement and could develop much greater potential 
in combination with self-driving vehicles (Lenz B, Fraedrich E 2016) 

Cascading failure: Failure of one element within an item, resulting in failure of 
another element or elements of the same item (ISO 26262) 

Cloud computing (computer cloud or data cloud): IT infrastructure that is 
made available, for example, via the Internet. It usually includes storage space, 
computing power or application software as a service (Mell P et al., 2011; 
Marston S et al. 2011). 

Code of Practice: A general Code of Practice definition: a guide that supple- 
ments laws, regulations and methods to provide detailed practical instructions 
on how to comply with legal requirements (state of science and technology, 
duty of care). A Code of Practice is legally binding unless there is another 
solution with the same or a better standard. Courts tend to regard a code of 
practice as proof of what is recognized about a hazard, risk or control and what 
preventive measures are “reasonably practicable” (Examples for the develop- 
ment of safe automated vehicles are the ADAS Code of Practice, the Code of 
Practice AD or a Code of Ethics for Artificial Intelligence) 

Code of Practice AD: A draft Code of Practice example for Automated Driving 
(CoP-AD) was developed in the L3Pilot project. The scope for the CoP-AD is 
set to cover SAE Level 3 and Level 4 functions. This document does not focus 
on Level 0, Level 1 and Level 2 functions. These are covered by the CoP for 
ADAS: see the RESPONSE 3 project (Knapp et al., 2009). 

Collision Avoidance: A system to warn of a threatening collision within the 
technical limits. The report of the German Ethics Committee for Automa- 
ted and Connected Vehicles requires that technology should prevent accidents 
wherever practically possible (Di Fabio U, 2017). 

Collision Mitigation: A system that can reduce the impact forces of a collision 
for vehicle occupants or unprotected road users to mitigate the consequences of 
an accident by intelligent automated braking or steering before, during and/or 
after a first collision. 

Common Cause Failure (CCF): Failure from two or several elements of an item 
due to a single specific event or a single cause (ISO 26262) 

Computer and Internet criminal law: Relevance for autonomous systems in 
road traffic, in factories and in medicine. New problems of substantive cri- 
minal law and criminal procedural law must be identified and confronted with 
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the new technical aspects (forms of crime caused by computer networks, the 
Internet); (Hilgendorf E, Valerius B, 2021) 

Concept phase: A development phase starting with an initial functional descrip- 
tion and ending with transfer to serious development. The generic development 
process presumed in chapter 4 divides the concept phase initially into a defi- 
nition phase, then a phase of comparison of alternative concepts and finally a 
proof of a selected concept. 

Consumer protection: (German: Verbraucherschutz, Austrian and Swiss: Kon- 
sumentenschutz) describes the entire range of activities and measures to protect 
people in their role as consumers or users of goods or services. For experts, 
you can contact a consumer protection agency or consumer protection lawyers 
who are familiar with consumer protection laws. 

Controllability: The probability that the driver can handle driving situations up 
to highly automated driving within the intended function, the system limits 
and system failures (see ISO 26262 and ADAS Code of Practice). CO stands 
for “controllable in general” (e.g. handling a distraction). C1 means “simply 
controllable”, where 99% of the average driver or other road users can control 
the situation. C2 means “normally controllable”. About 90% of average drivers 
are in control of the situation, C3 means “difficult to control or uncontrollable”. 
Controllability definition in ISO 26262: The ability to avoid a specified harm 
or damage through the timely reactions of the persons involved, possibly with 
support from external measures. 

Convolutional Neural Network (CNN): Artificial Neural Network — inspired by 
biological processes with definition and application in numerous technolo- 
gies of Artificial Intelligence systems, mainly machine processing of image 
or audio data (Ji S, 2013) 

Corporate Sustainability: Ethical, social, environmental, cultural and economic 
organizational business strategies for longevity, transparency and appropriate 
employee development. Corporate Social Responsibility (CSR), on the other 
hand, is based on ethics, morals and standards in the long term. 

Cost management: Management process in which the costs in a company in par- 
ticular are analyzed and influenced in a goal-oriented way. Even for automotive 
industry, cloud costs for data storage, computing power for flexible networked 
production (Industry 4.0) and automotive products are rising. 

Cybersecurity: Protection against illegal or non-authorized misuse of electronic 
data or the measures taken for this purpose. 

DARPA Grand Challenge: Competition for unmanned land vehicles sponsored 
by the Defense Advanced Research Projects Agency of the US Department of 
Defense. The competition was held in 2004 (without successful team), 2005 
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(1st Stanford University) and 2007 (1st Tartan Racing, 2nd Stanford Racing 
Team). 

DeepMind (formerly Google DeepMind): Artificial intelligence (AI) program- 
ming company founded in September 2010 and acquired by Inc. in 2014. 
Combines trial-and-error learning with neural networks Reinforcement Lear- 
ning (RL) to achieve superhuman abilities. 

Deep Neural Network (DNN): Artificial Neural Network (ANN) with several 
layers in between the input and output layers (see Annex Fig. A.20). 

Definition Phase: The first development sub-phase within the concept phase 
where the system definition is created. 

Degree of efficiency: Describes the percentage that expresses the relative effi- 
ciency of a function. It is always dependent on the unclear notion of the area 
of action which is an estimate of the maximum achievable potential (degree of 
efficiency = area of efficiency/area of action = x [%]). 

Deposition: A statement given by a party or witness (as an expert) in responding 
to an oral examination or written question under oath and documented by an 
authorized person. 

Design Thinking: Human-centered approach to innovation using the designer’s 
toolbox to integrate people’s needs, technology’s capabilities, and business suc- 
cess requirements (see Tim Brown, CEO IDEO). For example, the process 
model from the Hasso Plattner Institute in Potsdam distinguishes six steps: 
1. understand, 2. observe, 3. define point of view, 4. find ideas, 5. create a 
prototype, and 6. test. 

Development Interface Agreement (DIA): Agreement between customer and 
supplier specifying responsibilities for activities, verification or work products 
to be exchanged by each party (ISO 26262). 

Development phases: Several phases in the development where the system is 
developed from the first idea until the start of production (related to the esta- 
blishment of a production within the product development). The general phases 
of automotive development (from the requirements, the preliminary sign-off up 
to the SOP) can be represented by a V-model (see. Fig. 4.13) 

Dilemma (ethical): An ethical-moral situation in which several activities are 
required at the same time, but are excluded from each other. Following one 
requirement leads to a violation of the other (trolley-problem). The reaction 
of an algorithm in types of dilemma example situations should be based on 
social acceptance, whereby internationally different understandings of law and 
values make common ethics difficult. 

Driver assistance systems: Support of the driver in his primary driving task 
without taking over the driving task completely, so that the responsibility 
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always remains with the driver. ADAS represent a subset of driver assistance 
systems and provide active support for lateral or/and longitudinal guidance 
with or without warnings. They recognize and evaluate the vehicle environ- 
ment, using complex signal processing and direct interaction between the 
driver and the system, with main focus on the maneuvering level (ADAS CoP). 

Dual-mode vehicle: A vehicle that can travel on conventionally surfaced roads, a 
railroad track or a special track known as a “guideway”. Originally studied to 
make electric cars suitable for inter-city traffic without the need for a separate 
engine. 

Duty of Care: A legal definition and obligation in tort law to protect from 
foreseeable harm. It demands fulfillment to generally accepted standards of 
reasonable care. The violation of a duty can lead to liability. In practice, there 
are considerable differences between the legal systems of common law with 
regard to the particular situations in which this duty of care applies. 

Electric mobility (e-mobility): Networked industry sector that focuses on mobi- 
lity needs through vehicles with energy storage systems (LI-Ion battery), 
electric drive and charging infrastructure. The degree of electrification varies, 
such as electric railroads, electric boat or ship, electric car, electric scooter or 
motorcycle, electric tricycle, battery bus, electric truck and electric bicycle. 

Enterprise Resource Planning (ERP): An ERP system supports efficiency of 
main business processes, for example planning, control and management of 
resources (capital, personnel, operating resources, materials, information and 
communication technology). A well-functioning ERP system is increasingly 
supported by real-time (often cloud based) software (e.g. Netsuite, SAP, Sage, 
Oracle, Microsoft Dynamics) and can also optimize the value chain of safe 
automated vehicle components (Umble E et al., 2003). 

Error: The contrast between the desired and real value — or performance of a 
system or a human action. 

Ethics Commissions: Committees established by universities, professional asso- 
ciations or countries to advise, control and supervise scientists in ethical and 
legal aspects. 

Exposure: The exposure according to ISO 26262 and the connected ADAS Code 
of Practice definition describes the frequency of the driving situation. El stands 
for “very low” probability. The situation happens less frequent than once a year 
for most drivers. E2 means “low probability” and appears a few times a year. 
E3 “medium probability” describes situations that occur once a month or more 
frequently for the average driver. E4 “high probability” appears almost every 
trip. 
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Failed Degraded (FD): Provision of a safe system for a specified period of time 
until a Minimum Risk Condition (MRC) is achieved. 

Fail-safe state: A backup mode or fallback solution (Fail Degraded) so that no 
damage is caused if a hazardous system failure occurs. 

Failure: The inability of a system or a single component to perform its intended 
function as described. 

Failure Mode and Effect Analysis (FMEA): A method to analyze potential fai- 
lures in a system or a process, to evaluate consequences and define corrective 
measures. 

Fault: An abnormal state or defect at the component or subsystem level which 
will lead to failure. 

Fault Tree Analysis (FTA): FTA is a procedure for reliability analysis of tech- 
nical systems and systems. It is based on Boolean algebra to determine the 
probability of a failure of installation or overall system. 

Field Operational Tests (FOT) collect data (such as driving behavior, reactions, 
traffic situation, position data) from vehicles with systems under investigation, 
which are equipped with recording devices. The euroFOT project was the first 
wide-ranging FOT in Europe (Benmimoun M et al., 2013). 

Field studies: Field studies collect the data (in contrast to the supplementary 
laboratory studies) in a natural environment. This includes analyses of traffic 
accidents, vehicle operating data, field operational tests (FOT) and naturalistic 
driving studies (NDS). 

Five Aspects of Balance: For a more adaptive, creative, mature and grounded 
(“better differentiated”) collaboration of all experts in the development process, 
the four aspects of balance, adapted from Professor David Snarch, can support: 
1. a stable and flexible self, 2. an open and mindful heart, 3. a clear mind 4. 
moderate reactions and 5. meaningful persistence. Differentiation is the ability 
to balance our needs for autonomy and commitment. The aspects of inner 
balance are powerful tools and can support when leaders, experts or others 
are under massive stress or do not know how to decide (see Annex Fig. A.19, 
Snarch D, 2018). 

Foolproof design: Well-designed and fail-safe to protect against human failure, 
incompetence, misuse or somebody with low intelligence, who can not use it 
properly. 

Force majeure: (Höhere Gewalt) Arises as soon as an external event occurs cau- 
sed externally by forces of nature or by the actions of third parties, which is 
almost unpredictable according to human insight and experience and cannot 
be prevented even by the applying of extreme care. Force majeure may occur, 
for example, in the event of natural disasters, hurricanes or earthquakes. 
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Functionality: A series of functions connected with software and/or hardware. 

Functional Requirements: A description of what the system is intended to do. 
Functional requirements define user functions, system limits or species of in 
and outputs. 

Functional Resonance Analysis Method (FRAM): The FRAM method wants 
to go beyond the concept of failure and human error. It is used to explain spe- 
cific events that can lead to unexpected success as well as failure by coupling 
and varying everyday performance. The method is based on four principles: 1. 
the equivalence of success and failure, 2. the approximate adaptations, 3. the 
emergency and its functional response (Hollnagel E 2012). 

GAIA-X: A project to establish an efficient and competitive, secure and trustwor- 
thy data infrastructure for Europe, supported by representatives from business, 
science and administration including European partners. 

Google Scholar: A search engine by Google which is used for general litera- 
ture research of scientific documents. It indicates the number of citations and 
references to similar articles or topics, such as Deep Learning. 

Harm: Physical injury or mental damage to the health of persons either directly 
or indirectly. 

Hazard: A potential cause of harm (caused by malfunctioning behavior of the 
item — ISO 26262). 

Hazard analysis and risk assessment (HARA): A Hazard analysis and risk 
assessment (German: Gefahren- und Risikoanalyse — GuR) is specified by 
ISO 26262 as a structured procedure for determining whether a system is a 
safety-relevant system and, if so, the degree of safety relevance. 

Hazard and Operability Study (HAZOP): A systematically qualitative techni- 
que for the determination of process hazards and potential operational 
problems with guidelines for the investigation of process deviations. 

High Performance Team: A defined group of people that achieves or tries to 
reach the best results within the framework of a superior system through high 
competence, target focus and intensive cooperation. 

Hazardous Situation: A situation in which a person is subjected to hazards 

Homologation: The granting of authorization by an official authority based on a 
set of strict rules or standards. 

Hub2Hub transports: The driverless connection between logistics centers to 
save costs. In particular, fully automated trucks that operate on long-distance 
routes between logistics hubs. 

Human Machine Interaction (HM Interaction): All potential modes of inter- 
action (direct or indirect) between the driver and one or more vehicle 
systems. 
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Human Machine Interface: An element or sub-element of a system with which 
the driver can interact (input and output devices such as buttons, switches, 
levers, indicators) enabling interaction between the driver and one or more 
vehicle systems. 

ImageNet: Visual record containing over 15 million high-resolution labelled 
images that cover nearly 22,000 different categories and is used by researchers 
to test their image classification model (Russakovsky O et al. 2015). 

Impact analysis: The analysis determines which areas and previous work pro- 
ducts are affected by an intended change. 

Innovation: (also called “novelty” or “remaking”; derived from Latin innovare 
“to renew”) is used in business in the sense of new ideas and inventions and 
for their economic implementation. 

Intervening system: A system that triggers a braking or steering system using 
information from environmental sensors, in order, for example, to reduce or 
avoid the damage of a lane departure or a collision. 

In-vehicle Information System (IVIS): A system that supports the driver with 
information on the navigation task to help the driver achieve the goal. Also 
known as the “Driver Information System”. 

Kanban: A method of production process management with the aim of control- 
ling the value chain at each manufacturing stage of a multi-stage integration 
chain in a cost-optimized manner. 

Knowledge Management: A summarizing term for all strategic or operational 
activities and management tasks that aim at the best possible use of know- 
ledge in many disciplines (business administration, information science, social 
science, education, business informatics), (Alavi M, et al., 2001). 

Lean Management: Refers to the entirety of intellectual principles, methods and 
procedures for the efficient design within the entire value chain of industrial 
goods. 

Lifecycle: Entirety of phases from concept through decommissioning of the item 
(ISO 26262) 

Machine learning (ML): A general term for the “artificial” creation of know- 
ledge from experience using examples and differs from the term “deep learning 
(DL)”, which is only one possible learning method using artificial neural 
networks. 

Malfunction: Refers to a system that does not perform its intended function. 

Malfunctioning behavior: Failure or unintended behavior of an item with 
respect to its design intent (ISO 26262). 
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Maneuvering Level: The second of the three levels of a driving task (see 
also Stabilization and Navigation Level). Driving tasks that are related to 
compliance with traffic rules and the avoidance of collisions. 

Mindfulness: Conscious awareness and experiencing the present moment 
without distraction of thought streams or strong emotions. Demonstrated by 
effective communication between stable attention and perceptual, focused peri- 
pheral awareness. Through this effective communication, leadership with its 
team members can respond meaningfully to environmental conditions. Enhan- 
ced mindfulness, for example through Mindfulness Based Stress Reduction 
MBSR, enables effective differentiation between conflicting information in 
order to extract what is essential. 

Mindfulness-Based Stress Reduction (MBSR): Training for a focused direction 
of attention by developing, practicing, and stabilizing extended mindfulness 
as a program for stress management (Achtsamkeitsbasierte Stressreduktion) 
through mindful body awareness (body scan) derived from body therapy 
methods, mindful performance of “yoga postures” (asana), practicing the “still 
sitting” of sitting meditation (Zazen and Vipassana) from Buddhist medita- 
tion practice, mindful performance of slow movements similar to traditional 
“walking meditation” (Kinhin), mindful breathing practice (Breathing-Space) 
developed by Jon Kabat-Zinn, former professor at the University of Massa- 
chusetts. In all exercises, the focus is on non-judgmental acceptance of what is 
perceptible in the moment. This can be bodily sensations (e.g. pressure, ting- 
ling), feelings, emotions (e.g. fear, sadness), moods, sensory perceptions or 
thoughts. 

Minimal Risk Maneuver (MRM): A maneuver which is applied in case an 
automated function can no longer assist or perform the driving task or the 
driver does not respond to take over requests. 

Minimum Endogenous Mortality (MEM): Measure of the accepted (unavoi- 
dable) risk of death due to the relevant technology. It is described in the 
CENELEC standard EN 50126 and concretized as 0.0002 deaths per person 
year as statistical mortality (risk of death) of a European adolescent. 

Misuse: The use of the information and control system functions provided by 

the manufacturer, which are implemented in a manner not intended by the 

manufacturer and which may cause damage. 

Mobility in Urban Air: Extension of urban transport systems into the airspace. 

Current air traffic regulations make on-demand air cabs difficult to imagine. 

“Flight metros” with defined routes may be possible (Bratzel S et al., 2020). 

Mobility management: Description of a target-oriented influence on individual 
mobility behavior with regard to infrastructure planning or traffic management. 
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It is defined by transport policy and guiding principles, such as environmen- 
tally friendly transport or a city designed for human needs (Bratzel S et al., 
2020). 

Mobility services: Current trends relate to networked mobility services, such as 
an interlinked driving service with car sharing, parking services, charging ser- 
vices, micromobility, urban air mobility, a highly networked travel or mobility 
chain and other modes of transport such as public transport, bike or ridesharing 
(Bratzel S et al., 2020). 

Monte Carlo simulation or study: Method from stochastics (used in Artificial 
Intelligence) based on a very large number of similar random experiments of 
numerical problem solution using the probability theory (Silver D et al. 2016). 

Multimodal services: Includes, for example, on-demand services that enable the 
integration of multiple modes of transport to reach people on a single plat- 
form. They aim at combining different mobility services (public transport, car 
sharing, private cab, micro mobility ...) to optimize the travel chain. 

Multimodal transport: Use of different means of transport in a given period of 

time. Carriage of persons or the transport of goods within the time slice using 

two or more different modes of transport. 

Naive subject: A term for a driver who tests a new system (up to highly auto- 

mated) under evaluation without more experience and previous knowledge of 

the system than a future customer will have. 

Natural Driving Studies (NDS): aim to provide a better understanding of driver 
behavior in everyday driving by recording details about the driver, the vehicle 
and the environment. UDRIVE was the first extensive European NDS project 
with cars, trucks and motorcycles (Barnard Y et al. 2016) 

Navigation Level: This category includes tasks related to searching for a route 
to the driver’s destination. 

Negligent behavior: (Fahrlässigkeit) Civil law: disregarding the care objec- 
tively required in traffic. II. Criminal law: The unintentional realization of 
criminal activity, if the criminal has thereby ignored the care possible and 
reasonable to him and could have foreseen the success required by law. III 
Insurance: Anyone who neglects the care required in traffic acts negligently. 

New Work: Describes a structural change in the world of work due to digi- 
tization and the changing requirements of home offices, co-working spaces 
and digital nomadism. New Leadership aims to replace strictly hierarchical 
management styles with a culture of trust and empathy, while strengthening 
personal responsibility, the development of potential, work-life balance, trust- 
based working hours and locations. Agile working methods are intended to 
accelerate productivity and innovation. 
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Normal Operation: A system that operates under normal traffic situations within 
its intended use. 

Open item checklist: Supports to work through all open issues in order not to 
forget anything (see Fig. 4.14). 

Operational risk: (German: Betriebsgefahr) The general risk associated with 
the operation of an object like a motor vehicle, railway or chemical plant. 
An example in road traffic is the liability of the holder of a motor vehicle 
(Germany: $ 7 StVG; Austria: $ 1 EKHG). 

Over-the-air update (OTA): A software update that is installed via a wireless 
interface (typically WLAN or mobile network). 

Passenger Transport Law: Regulation for the transport of persons by streetcar, 
trolleybus and motor vehicles for payment or business purposes. 

People-Mover: Usually an automatic means of transport for short-distance pas- 
senger transport. Sometimes the term People Mover is shortened to PTS for 
Passenger Transport System. 

Permitted risk: (Erlaubtes Risiko) The manufacture of risky technical products 
is not to be judged as negligent (and thus “allowed”) if, according to the prevai- 
ling opinion of the community of law, the benefits associated with the technical 
product are so great that a few isolated damages can be accepted. 

Poka-yoke: A Japanese technical concept as a part of the Toyota Production 
System (TPS) to avoid (yokeru) or prevent mistakes (poka) or elimination of 
waste accompanied by improving quality. 

Presence: (synonymous meanings: attentive, alert) The term presence has the 
phenomenological meaning of attendance and existence in a time-related and 
three-dimensional perspective. Presence as the opposite of absence, confusion 
or agitation is derived from the French word “présence”, initially from the 
Latin “praesentia” for present-time and “praesens” for at present (see Duden, 
2020) — relevant for human interaction with each other as well as with techno- 
logies such as automated driving or road traffic. A process of increased inner 
presence of mind, consciousness, alertness, self-regulation including control of 
attention, regulation of emotions and self-awareness can be initiated through 
mindfulness meditations (Tang, Y et al., 2015) 

Primary Driving Task: All aspects necessary for the safe control of a vehicle to 
maintain longitudinal and lateral vehicle control within traffic environment. 
Proof of Concept: Voluntary final development sub-phase to justify the previous 

steps and complete the concept phase. 

Proven in Use: (Betriebsbewährtheit) Hardware components and software modu- 
les that have already proven their reliability over a longer period of time under 
the same or similar operating conditions in large production volumes. The 
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specific criteria for proven use are not defined exactly the same in various 
industries. Definitions can be found, for example, in the IEC 61508, IEC 
61511, DIN EN 5028, DIN EN 5029, ISO/SAE 21434, ISO 22737, ISO 26262, 
EN 13849, ISO 13849, DIN 50116 and DIN 50600. 

Quality management (QM): Organizational management activities to manage 
and monitor the quality of an operation (see ISO 26262). 

Quantum Computing: Based on quantum processors, which do not work with 
laws of classical physics, but on quantum mechanical principles (superpo- 
sition principle: quantum mechanical coherence — analogous to coherence 
effects, like holography and quantum entanglement). This promises more effi- 
cient handling or factorization of large (traffic) data (e.g. IBM, Daimler). 
Accelerated by Corona-virus (COVID-19, Sars-CoV-2, MERS-CoV) outbreak 
symptoms or pandemics including mass quarantine lockdowns, governments 
and research organizations or companies worldwide increasingly invest in this 
technology. 

Real-time system: Systems designed for the direct control (real-time control) 
and handling of processes supported by real-time computing (RTC) that have 
to meet quantitative real-time requirements for this such as in process con- 
trol engineering, in engine control systems, automated driving functions, in 
robotics, in satellite system technology as well as in signal or switch systems. 

Reasonable Safety: (German: Angemessene Sicherheit) Courts understand the 
term reasonable safety to mean a reasonable consideration of the outgoing risk 
of injury with the costs to exclude failures. 

Reasonably foreseeable: Technically possible and with a credible or measurable 
rate of occurrence. Technically feasible and with a credible or quantifiable 
probability of occurrence (see ISO 26262). 

Reasonably foreseeable event: Event that is technically possible and has a 
credible or measurable rate of occurrence (see ISO 26262). 

Redundancy: The existence of resources, in addition to those which are 
necessary to realize a desired function or to provide required information (see 
ISO 26262). 

Regions with Convolutional Neural Networks (R-CNN): One of the common 
CNN-based deep learning object detection methods. On this basis, fast R- 
CNN and faster R-CNN exist for faster object detection and mask R-CNN 
for segmentation of objects into boxes (Ren S, 2015; He K, 2017). 

Reinforcement Learning (RL): Machine learning methods where an agent inde- 
pendently learns a strategy to maximize the received benefits. Humans as well 
as animals may solve this task by a balanced combining of reinforcement 
learning and hierarchy-based processing (Mnih V, 2015; Sutton R, 2018). 
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Remote Service: A process of providing technical services at a remote location 
using telecommunications networks. Car services can be used from outside the 
vehicle to access relevant functions via smartphone, tablet or PC. 

Requirement: A requirement is a statement of the necessary characteristics or 
skills that are either required by a person to achieve a goal, or that a system 
or parts of a system must meet or own in order to fulfil a contract or comply 
with a standard, specification or other formally specified documents. 

Residual Neural Network (ResNet): A residual neural network (ResNet) is an 
artificial neural network (ANN) based on constructions that are known from 
pyramidal cells or pyramidal neurons — a type of multipolar neuron in the 
brain located within the cerebral cortex, the hippocampus, and the amygdala 
as primary stimulation of the prefrontal mammalian cortex and corticospinal 
tract. It enables the training of hundreds or even thousands of layers in object 
recognition and face recognition and won the ILSVRC 2012 competition. 

Residual Risk: The remaining risks after protective actions have been applied. 

Risk: Combination of the likelihood of occurrence (Exposure) and possible 
consequences (Severity) of a dangerous event (harm). 

Risk competence: The ability and willingness to actively deal with risks and 
learn from them. Risk researchers deal with risk behavior, decision theories, 
ecological rationality, social intelligence and models of limited rationality. The 
American Association for the Advancement of Science (AAAS) honored Gerd 
Gigerenzer in the behavioral sciences. His science books of the year: “Gut 
Decisions: The Intelligence of the Unconscious and the Power of Intuition” 
(“Bauchentscheidungen: Die Intelligenz des Unbewussten und die Macht der 
Intuition”), “Simple heuristics that make us smart, about the right way to 
handle numbers and risks” (“Das Einmaleins der Skepsis”) and “Risk savvy: 
How to make good decisions” (“Risiko: Wie man die richtigen Entscheidun- 
gen trifft”). According to Gigerenzer, gut decisions are successful if they are 
based on expert knowledge: “Corona (Covid-19, SARS-CoV-2, MERS-CoV 
symptoms) gives us the chance to learn statistical thinking” (Gigerenzer G, 
2019). 

Road traffic safety: General road safety has the goal to avoid traffic accidents 
and to reduce the consequences of accidents. This involves various methods 
and measures (see Fig. 2.5). 

Road Users: Any participant in traffic, anyone who uses a road or transport infra- 
structure, such as a pedestrian, cyclist (VRU — vulnerable road users), motorist 
and a self-driving vehicle. 


Glossary 227 


Safe Exit: The Safe-Exit is a particular driving mission. It transfers the vehicle 
by the fastest route to a state that allows the occupants to leave the vehicle 
safely. 

Safe State: If a system detects a failure through its self-diagnosis, it should 
change to a state in which the system no longer causes hazards. This safe 
state depends on the type of the overall system. 

Safety: A state of protection against damage or other undesirable results. A level 
of acceptable risks without remaining unacceptable or unreasonable risks. 
Secondary Driving Task: Additional activities of the driver that do not ensure 
to actually keep the vehicle on the road, such as operating the radio, changing 
the air conditioning settings, entering the destination of the navigation system, 

activating the windshield wipers or headlamps. 

Scrum: A process model within project and product management, especially for 
agile development as an implementation of Lean Development. 

Self-driving vehicle: A self-driving vehicle or self-driving car, also called 
connected autonomous vehicle (AV), fully self-driving vehicle, driverless 
vehicle, robo-car or robot-car is able to sense the environment and can move 
safely with minimal or without human guidance. There are some inconsisten- 
cies in the terminology similar to other naming schemes such as AutonoDrive, 
PilotAssist, Full-Self-Driving or DrivePilot. A structuring of automation levels 
is documented in SAE J3016. 

Semantic search: More precise search method with consideration of background 
knowledge of the content meaning of texts and search requests in contrast to 
keyword-based search engines. The search is not only based on single words 
in the text, but is also related to the content of relevant texts (Guha R et al., 
2003). 

Series Development: The development phase that follows the concept phase. 
Here, the targeted development of a system concept for a specific vehicle series 
will be continued until the start of production (SOP). 

Shuttle: Originally the device used in the weaving mill to transport the weft. In 
relation to the constant back and forth movement associated with it, the term 
was used in transportation (air transport or land transport) and in other areas. 

Sign-off: The final step in product development, which concludes that the sys- 
tem is ready for production based on verifications gathered during the design 
phases. 

Social adequacy: The legal term social adequacy (Sozialadäquanz / Soziale 
Adäquanz) is a principle used in German criminal law. If behavior does ful- 
fill externally all characteristics of a legal criminal offense, but moves within 
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the usual, historically developed standard, there is, according to the current 
opinion, no improper violation of the law. 

Specification (framework): Various defined requirements that must be fulfilled 
by an automated vehicle system. 

Stabilization Level: Driving task which is related to keep the car under lateral 
and longitudinal control. 

Standard of proof (in law): (German: Beweismaß) Defines, according to con- 
ventional understanding, the boundary from which the judge or jury may 
consider the testimony to have been made. 

Statistical computational learning theory: Subfield of Artificial Intelligence 
devoted to studying the design and analysis of machine learning algorithms 
from the fields of statistics and functional analysis (see Hastie T, 2009). 

Strict liability: (Gefährdungshaftung) Liability for damages, which does not pre- 
suppose fault, but is based on the fact that the person liable for compensation 
unavoidably causes a certain hazard to his or her environment in a permitted 
activity. 

System: An interaction of individual components that are organized to achieve 
a certain function or several functions. A system (Greek systéma “composed 
of several individual parts”) is also defined as a limitable, natural or artifi- 
cial “structure” consisting of various interacting components which are/can be 
regarded as a common entity on the basis of structured relationships 

System Limit: Based on the operative restrictions of a system. A functional 
restriction is either defined during development or is given by physical or 
technical restrictions (see ADAS Code of Practice). 

System State: The status that a system or a subsystem is currently in (see ADAS 
Code of Practice). 

Team Building Phase Model: Originally developed by Bruce Wayne Tuckman, 
former Professor of Educational Psychology at Florida State University 
with: Forming (entry and discovery phase), Storming (argument and dispute 
phase), Norming (regulation and agreement phase), Performing (work and 
performance phase), Adjourning (dissolution phase). 

Tertiary task: Tertiary tasks attribute actions unrelated to the main driving 
task. They serve to satisfy comfort, entertainment or information needs. 
These include, for example, radio, telephone, heating, air conditioning, other 
entertainment equipment, internet and office technology. 

Tolerable Risk: An accepted risk in the context of society’s current values. 

Trajectory Prediction: Indication of the chronological trend (development path, 
movement of road users) of the variables of a differential equation system in 
a phase diagram. 
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TREAD Act: This safety law (TREAD: Transportation Recall Enhancement, 
Accountability and Documentation) was passed by the US Congress in Octo- 
ber 2000 and, since December 2002, has required global manufacturers of cars, 
tires, trailers and child seats, as well as, to a limited extent, automotive sup- 
pliers whose products are sold in the USA, to report any defects in vehicles to 
the US National Highway Traffic Safety Administration (NHTSA). 

Triage dilemma: Ethically difficult dilemma and not legally codified or metho- 
dically specified procedure for prioritizing medical aid similar to the trolley 
problem. May occur in mass road traffic accidents or pandemics, such as the 
Corona-virus, Covid-19, SARS-CoV-2, MERS-CoV outbreak symptoms; see 
also: Trolley problem (Truog R, 2020). 

Trolley problem: Thought experiments that describe an ethical dilemma. It con- 
cerns a decision in which the death of one person is accepted in order to save a 
number of other lives. Using Artificial Intelligence, programmers would have 
to decide for such possible emergency situations; see also: Triage dilemma. 
(Bonnefon J-F; 2016) 

Uber: A US-American service company based in San Francisco. It provides 
online passenger transportation services in many cities around the world. 

Unreasonable Risk: Risk is judged unacceptably in a particular context follo- 
wing society’s current values. 

Validation: The dynamic mechanism of evaluating and testing an actual pro- 
duct during or at the end of the design process to determine whether it meets 
customer expectations and specified requirements. It generally follows after 
verification. “Did we build what we promised?” 

Value chain: Today, the networked factory with a digital production eco-system 
connects information and Big Data from different production processes, IT sys- 
tems and AI functions in real-time communication via Shopfloor applications 
using 5G wireless network (e.g. Mercedes-Benz digital production ecosystem 
MO360 with the quality management system Quality Live). 

Vehicle: A motorized road vehicle with or without a driver or passengers: for 
example, cars, trucks, buses and motorcycles. 

Verification: A static practice of verifying documents and design that a compo- 
nent, a sub-system, a system or a process conforms to specifications. It includes 
all activities to achieve high quality. “Did we build what we need?” 

VGG neural network: Advancement in the Convolutional Neural Networks 
world following LeNet-5 (1998), AlexNet (2012), ZFNet (2013) and Goo- 
gleNet launch (2014) from Visual Geometry Group at University of Oxford. 
It won the localization task competition at ILSVRC 2014 (Simonyan K et al., 
2014). 
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Vision Zero: Different approaches to prevent accidents, injuries and diseases of 
humans. Originally from the field of work safety, Vision Zero was first applied 
to road traffic in Sweden at the end of the 1990s. A basic assumption of Vision 
Zero is that people make mistakes. Therefore, technical and automated systems 
must be designed in a way that these mistakes do not lead to life-threatening 
injuries or illnesses (see Tingvall C, Haworth N, 1999). 

Vulnerable Road Users - VRU: (German: gefährdete Verkehrsteilnehmer) 
Generally referred to non-motorized road users, for instance, pedestrians and 
cyclists, motor cyclists, persons with disabilities or reduced mobility and 
orientation. 

Warning and degradation strategy: Specification to alert the driver to potenti- 
ally limited functionality and how this reduced functionality can be provided 
to achieve a safe state (see ISO 26262) 

Waymo LLC: Subsidiary of Alphabet Inc. for the development of technologies 
for autonomous vehicles called “Waymo Driver”. Waymo, which was founded 
in December 2016, stands for “A new Way forward in Mobility” and continues 
the work of Alphabet’s Google Driverless Car project. 
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